Credential stuffing is a new form of cyber attack in which the criminal uses collected usernames and passwords from previous breaches to gain fraudulent access to user accounts. The cybercriminals collect billions of login credentials over the years as a result of data breaches. They use these credentials for spam, phishing, and account takeovers. Credential stuffing is becoming a common way of stealing usernames and passwords.
In the kind of attack, the cybercriminal uses a list of known valid credentials obtained from the previous breaches to get the usernames and passwords instead of guessing the password. These kinds of attacks have more chances of success and more comfortable to perform. People use the same password across different websites; the cybercriminal steals data from low-profile websites and uses it to gain access to substantial-profile websites to get sensitive data.
The cybercriminal sells the stolen credential and specialized tool, which leads to successful automated credential stuffing attacks. The cybercriminals make combo lists that are gathered from different data. The credential stuffing does not require much effort, special skill, and knowledge to be launched.
How to detect and mitigate credential stuffing attacks
The cybercriminal launches these attacks through Botnet and automated tools, which supports the use of proxies. The attackers shape their tools to mimic legitimate user agents and pretend to be from a trusted person and site. It becomes difficult for users to differentiate between the attack and legitimate login attempts.
The risk of credential attacks on high-traffic websites is more as sudden login requests do not seem to be strange. If the login failure rate increases over a short period, it means that a credential stuffing is in progress.
Firms should add multi-factor authentication (MFA) to their security process. Many attacks require more effort and to pull off en-masse than credential stuffing. They should make MFA mandatory for all user accounts and enable it for users who are determined to be at higher risk.
Large companies monitor public data dumps and check the impacted email addresses if it exists in their systems; they should force password resets and strongly suggest enabling MFA.
Firms should train their employees about password hygiene and cyber attacks. Reusing the password leads to credential stuffing, so it’s vital to discourage them from using it again. The use of password managers for generating unique and complex passwords should be encouraged within firms.