Your reused logins are putting you at risk for this new cyberattack

Image from pixabay

Credential stuffing is an emerging form of cyber threat that is increasingly popular with attackers. Big companies like Spotify and the North Face have fallen victim to credential stuffing. In 2020, up to 350,000 Spotify accounts were hacked and the North Face’s customer base had their sensitive information such as names, birthdays, telephone numbers, billing and shipping addresses leaked.

How Does Credential Stuffing Attacks Work?

1. Attackers first obtain leaked user logins from the numerous data breach websites available online.
2. The attacker downloads automated credential stuffing tools and loads the stolen credentials against other websites (such as e-commerce sites and social media platforms).
3. Credential stuffing attacks are successful with users who reuse the same username and password combination across multiple websites. After breaching an account, the attacker takes over it.

How Severe are Credential Stuffing Attacks?

The chances of credential stuffing attacks succeeding are relatively low, with attackers seeing up to a 2% success rate in gaining access to an account. However, when successful, it is potent. The attacks are capable of stealing valuable information such as credit card details or personal particulars. For companies, it can be very damaging to finances, reputation and relationships with clients.

Credential stuffing attacks are also not a one-time event. With many users using the same login details for multiple services, the stolen information can be attempted on other platforms. This boosts the risk of attackers taking over users’ accounts, increasing the number of damages to individuals and organisations.

How Can You Prevent Credential Stuffing Attacks?

1. Use unique passwords and implement 2FA: Use different and complex passwords for each platform. Passwords should be at least 8 characters long and contain a combination of lowercase, uppercase and special characters. Where available, two-factor authentication (2FA) should be activated. This prevents attackers from exploiting your reused logins to hack into other accounts.
2. Use CAPTCHAs: CAPTCHAs are used to differentiate between human users and bots. They range from identifying letters to solving puzzles. This is an effective solution to prevent automated credential stuffing attacks from achieving scale.
3. Install a bot management program: Once detected, malicious bots are blocked from attacking the website. Web application platforms like Polaris provides automated web traffic scanning, analyses bot behaviour specific to your web traffic and blocks malicious bots from attacking your website.

Summing it up!