According to the Open Web Application Security Project (OWASP), credential stuffing is defined as a type of cyber attack where stolen account credentials typically consisting of usernames, email addresses and/or the corresponding passwords are used to gain unauthorized access to user accounts. The term was originally coined by Shape Security co-founder Sumit Aarwal when he was serving as Deputy Assistant Secretary of Defense at the Pentagon.
This hacker technique is widely and increasingly used and has become a serious threat to online services. Most recently, companies such as Nest, Dunkin’ Donuts and OkCupid have all had users fall victim to credential stuffing attacks.
Hackers will take a large collection of usernames and passwords and try to “stuff” those credentials into the login page of other digital services. One trend has fueled a recent rise in successful campaigns. Hackers are posting larger, more accumulated credential collections that comprise multiple data breaches. One of the most notable examples is known as Collection #1-5, that totaled 2.2 billion unique usernames and passwords, all available to download for free.
Credential stuffing is made possible because most people reuse the same username and password across multiple websites. This means that hackers can often use one piece of credential information to unlock multiple accounts. Additionally, most people don’t change their passwords regularly, so even older credential dumps can be used with relative success.
Most credential stuffing uses information obtained from a major data breach and relies heavily on automation. Hackers aren’t typing in millions of credential pairs across hundreds of websites by hand. Instead, they use credential stuffing tools, available on malicious platforms, to bounce the requests around the web and make them look like they’re coming from different IP addresses. Hackers can also manipulate properties of the login requests to make it appear as if they are coming from multiple browsers because most websites will flag large amounts of traffic coming from the same type of browser as suspicious.
From their 2018 Credential Spill Report, Shape Security estimates that a criminal’s return on credential stuffing can be anything between 0.1 and 2 percent. This suggests that for every 1 million stolen credentials used by criminals, an average of 10,000 accounts could be accessed because of reused passwords. Therefore, hackers need millions of credential pairs to make credential stuffing attacks worth it. And once they’ve gotten into some accounts, criminals will still need a way to monetize what they find there – either by stealing more personal data, money, gift card balances, or credit card numbers.
So, what can you do to help protect yourself from a credential stuffing attack? First, it’s important to pay attention to when major data breaches occur. If you have an account with a company that experiences a data breach, change your password as soon as possible. If you use the same username and password combination for other accounts, make sure to change those passwords as well.
In addition, BBB offers the following advice for creating a strong password:
- Don’t make your passwords easy to guess. A strong password has at least twelve characters, mixed with uppercase and lowercase letters, numbers, and Commonly used passwords are your pet’s name, your mother’s maiden name, the town you grew up in, your birthday, your anniversary, etc. Surprisingly, the answers to these common passwords can typically be found online.
- Make them creative. Running low on creative ideas for different passwords? Try using song lyrics. Not only is it basically impossible for hackers to guess what song you are using, but it’s also even harder for them to guess which lyrics you’re using on top of that.
- Use a “passphrase”. Instead of using a single word, use a passphrase. Your phrase should be relatively long, around 20 characters, and include random words, numbers, and Something that you will be able to remember but others couldn’t come close to guessing.
- Use multiple passwords. Using different passwords for different accounts is also important. If hackers can figure out one password, even if its something harmless like your Instagram account, they then know the password to every single account you own. This includes websites you shop at, banking accounts, health insurance accounts, and email accounts.
- Turn on two-factor authentication. When it’s available make sure you’ve enabled multi-factor authentication, also known as two-factor authentication, on your accounts. This requires you to enter a second form of identification – such as a code texted to your phone in addition to your password, before accessing your account.
- Consider a password manager. Consider a reputable password manager to store your information. These easy-to-access apps store all your password information and security question answers in case you ever forget. However, don’t forget to use a strong password to secure the information within your password manager.