What is Credential Stuffing and why is it a problem for you?

Credential stuffing cyber attacks depend on one crucial mistake by the user – they just need to use the same password for two different services.

I was going to write a definition, but then I just got one from Wikipedia. It clearly explains the attack;

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach), and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. (Wikipedia. 2022)

Credential stuffing – Wikipedia

If your team reuses compromised passwords it can be a problem for you.

Is Credential Stuffing a Thing?

An article by Jonathan Greig about a credential stuffing attack on nearly one million active Norton LifeLock accounts (Greig. 2023) is the reason behind today’s topic. Norton LifeLock is a consumer cyber security service which among its services stores users’ passwords.

At the end of last year the identity and authentication firm Okta reported that 34% of all login attempts were malicious credential stuffing attacks. (Saeed. 2022).

So yes, credential stuffing is a thing.

Policies and Procedures

In our cyber security policy and those we write for our clients, we state clearly that people must not use passwords that they also use with other software or online services. (The attacks are run against online services, but the threat actors collect passwords and usernames from wherever they can get them.) We set up our systems so that passwords cannot be reused internally.

However, simply writing it down is not enough. We also explain the vulnerabilities that password reuse opens up. We find people on our course sit up and take notice when we move the conversation from work systems to a hacker getting into their bank or Amazon account.

So give me a fast solution to Credential Stuffing

I’ll give you two fast fixes for credential stuffing – although there are many – training and enforcing either Multi-factor Authentication (MFA) or where possible a passwordless token authentication.

Training is obvious and we can help with that, either in person, via a Teams meeting (which has the advantage that new starts can watch the recording) or using our online training service CyberAwake.

I have written about MFA previously here and here.

Passwordlessness is the subject of next week’s article.


Clive Catton MSc (Cyber Security) – 
by-line and other articles

References

Greig, J. (2023). Norton LifeLock says 925,000 accounts targeted by credential-stuffing attacks. The Record from Recorded Future News. Retrieved January 18, 2023, from https://therecord.media/norton-lifelock-says-925000-accounts-targeted-by-credential-stuffing-attacks/

Saeed, N. (2022). Top insights from our 2022 State of Secure Identity Report. Okta Auth0 Blog. Retrieved January 18, 2023, from https://auth0.com/blog/top-insights-from-our-2022-state-of-secure-identity-report/

Wikipedia. (2022). Credential stuffing. Wikipedia Foundation. Retrieved January 18, 2023, from https://en.wikipedia.org/wiki/Credential_stuffing

Further Reading

Something you know, something you have or something you are.

More on MFA and your risks when using it.

And a quick heads up on next week’s article:

FIDO – the new word in identity authentication.