Your data in plain sight – what is "credential stuffing"?
Author
Carolin AndreeIn the latter half of the 1950s, the term “hacker” was first officially used. What began as a modest problem has since become more and more sophisticated and pernicious over the decades. These days, so-called "credential stuffing" has become the epitome of systematic data misuse. Cybercriminals not only use stolen information for their own nefarious schemes but also regularly use it as a lucrative source of income by reselling it on the black market.
One of the biggest problems is that web users opt for convenience over security, which plays right into the fraudsters' hands. Although security experts recommend generating a strong password with the help of a password manager, this is often not given enough consideration by users. But anyone who wants to protect themselves adequately these days needs more than just persistence, imagination and a good memory. This blog sheds some light on credential stuffing and reveals how you can help protect yourself and your company.
Credential stuffing: how brazenly cybercriminals go about it
For the sake of convenience, it is not uncommon for many users online to use the same password for their email accounts, for social media, and in the worst case, even for payment services such as PayPal. The origins of today's credential stuffing stem from this very problem. Once cybercriminals have managed to scam universal login data, it is easy for them to abuse it systematically and lucratively for their own purposes.
To achieve this, the attackers equip themselves with so-called combo lists. These address lists contain millions of active email addresses and are obtained via the darknet at bargain prices. The details of such combo lists originate from data leaks or previous cyberattacks.
With the help of automated bots, the information obtained is checked for login matches. The hackers usually choose the so-called brute force attack as their method of attack. Secured access points, such as the connection to the email account, are systematically broken by repeatedly entering users’ password combinations. The bots quickly and inconspicuously work through endless lists of popular passwords. High computing power ensures that the attackers can check several million variants within a few hours. Simple, predictable passwords are therefore particularly vulnerable.
The effects of credential stuffing attacks
Using the credential stuffing method, hackers can find numerous login details in a very short time. They either use hits on active accounts themselves for their own purposes, or they sell the data to other cybercriminals via the darknet. These kinds of web attacks can have lasting effects on companies and organisations. In particular, damage caused by credential stuffing usually has an impact on three levels:
1. Economic losses due to credential stuffing
Companies have a duty to protect their customers from data misuse. If an attack is nevertheless detrimental to consumers, the company is liable. Numerous claims for reimbursement can be the result. Some affected companies have struggled for years due to the catastrophic economic impact, which has amounted to millions.
2. Damage to reputation due to credential stuffing
It is not only the direct effects of credential stuffing that companies suffer. There are also indirect consequences that endanger the livelihood of companies. A single careless password combination can make it necessary to rebuild customer relationships over a period of years and at an enormous cost.
3. Destructive data manipulation through credential stuffing
The longer the misuse of one's own data goes undetected, the more destruction hackers can cause. If cybercriminals can gain access to your data, they can change, manipulate or even delete all your information irrevocably. On the one hand, this makes the work of all employees more difficult or even impossible; on the other hand, it may result in costly claims for damages and an irreparable loss of image and reputation.
Prominent victims of credential stuffing attacks
From Instagram to Facebook to Adobe and Microsoft, almost every web industry has already had own up to being a victim of the theft of personal customer data. Just last year, T-Mobile was the victim of a cyberattack in which hackers stole the data of 7.8 million mobile customers. In addition to names, passwords and dates of birth, financial and very personal data were also stolen. Even national insurance numbers, driving licence details and credit card numbers were not spared in this attack.
Although in principle, any industry can become a target of credential stuffing via its web services, portals with high financial transactions are mainly targeted. Therefore, it is typically banks, payment, or travel service providers who are most affected and have to deal with the fallout of these attacks.
Protecting yourself and your company from credential stuffing
Whether as a private individual or as a company, there are several options available to help stop the dreaded credential stuffing. The most effective method is to ensure a good balance between security and usability.
The combination of complex password selection and a downstream human interaction proof process is an effective option in the fight against these kinds of costly cyberattacks. Complex password requirements and time-consuming captchas may increase the security of user data, but they also quickly lead to frustration among employees. Unfortunately, captchas are no longer an insurmountable hurdle for aggressive or savvy attackers. Numerous third-party providers have long since established themselves as specialists in solving captcha prompts using an army of cheap labourers.
A much more effective measure is the systematic regulation of automatic requests. Here, devious bots are tracked down with the help of special software, identified and rigorously blocked. Harmless bots that originate from search queries, for example, remain accepted. Bot management systems, for instance, help increase the level of protection within your company and helps to protect your web applications from credential stuffing. Even before virtual attacks can cause damage, harmful traffic is prevented.
Why not take action today and evaluate the current level of security within your company with the help of our security awareness professionals here at IYS? Raise employee awareness of cyberattacks and save yourself the costly aftermath of credential stuffing attacks. Stay ahead of the hackers, and let us help you develop a robust and sustainable security strategy!