Imagine: one day, you find yourself locked out of all your accounts. Netflix, Facebook, Uber are all blocked. Someone is making expensive purchases from your Amazon wallet. You realize that you used the same username and password for all these accounts. You have just fallen for a credential stuffing attack.
Credential stuffing is a cyberattack where hackers use breached usernames and passwords to access victims’ accounts. They obtain credentials either by purchasing them on the dark web, accessing leaked databases (you can check whether your password is known to have been breached here), or employing social engineering techniques.
Hackers then try these credentials to access various apps or sites. Once they break in, they can do all kinds of criminal activities with your sensitive data: sell it, hold it for ransom, or just use it for their own needs.
Credential stuffing might be compared to a brute force attack, but it’s not exactly the same. Even though both attacks stuff login credentials on multiple accounts until they succeed, the main difference is that in brute force attacks hackers generate passwords themselves. In credential stuffing, data is taken from other sources.
Let's say you use a car-share app that you log into with your email and password. However, you use the same credentials on other apps; you just find it too difficult to remember different passwords for all of them. The app experiences a data leak due to poor security measures. Your credentials end up in a database obtained by hackers. They can now use that data to get into your car-share app. Later they will stumble upon other apps and will hack them too.
Trying multiple login credentials on an endless number of websites can be tedious. Therefore, to maximize the success rate of these attacks, hackers don’t do the dirty work themselves. They employ botnets.
Imagine you find someone’s keys on the street. It would be quite challenging to try it on every door in the city. But if you employ a robot to automate this process, you will increase the scale and speed of the attack. The chances of hitting the jackpot will be way higher.
A credential stuffing attack can cause a great deal of damage for you or your company. Businesses lose millions every year due to these attacks, while private users experience a great deal of financial and emotional distress. Here are a few tips on how to avoid falling for a credential stuffing attack:
To learn more about cybersecurity, subscribe to our monthly blog newsletter below!