What everybody ought to know about credential stuffing

February 6, 2018

Even if your website is secure, your user’s credentials could still be available to buy online. It’s time to learn more about credential stuffing attacks and how lousy password choices make them easier to administer.

Choosing a password isn’t simple, especially when we’re asked to make them complex. That’s why we often pick passwords that are easy to remember. And why many people use the same or similar passwords over multiple sites.

This in combination with reusing the same email address as a username, is a recipe for disaster.

Let’s say someone hacks one of your social media accounts and steals your credentials. If you’re reusing those credentials, hackers can use that information to access your other accounts too.

Consequently, that could be your work email or even your internet banking. Now just think of the trouble that might cause.

Anatomy of a credential stuffing attack

Hackers don’t enter credentials manually into websites in the hope of gaining access to an account. Credential stuffing is an automated process.

Although there are other ways to harvest user credentials, most originate from massive data breaches .

Stolen credentials are sold, or even given away for free on illegal sites hosted on the Dark Web.

After acquiring credentials, hackers try them out on third-party websites using an automated tool. They “stuff” any number of credentials into a selected site in search of a match.

And if a hacker is successful, what happens next depends on the website. For example, cybercrooks can order goods from retail sites or transfer money from bank accounts.

Billions of stolen credentials for sale

There are billions of stolen credentials available online. And every time a data breach occurs this illegal resource grows.

Between 2013 and 2014, search giant Yahoo! experienced two of the most significant data breaches in history. In 2016, company execs revealed that hackers had compromised over 1.5bn user accounts. And this is just one of many examples.

Relentless automated attacks

Automated software is allowing credential stuffing to become a widespread issue with tools and credentials readily available.

As a result, this kind of attack is within reach of an increasing number of cybercriminals. Even those with minimal resources and experience.

Researchers estimate that 2% of credential stuffing attacks will succeed. That might not sound like a lot but imagine if an attacker has access to one million credentials. That hacker could gain access to 10,0000 accounts on any given website.

Customer or company, the fallout is devastating

Credential stuffing attacks pose problems for individuals and businesses alike. When a hacker gains access to a user account on your site, your reputation suffers.

Even those who have not been directly affected might lose confidence in your company and brand. And this can slash your revenue.

Your employee accounts are potential targets too as people often use the same credentials for personal and work accounts.

If a cybercriminal hacks an employee account, they could get instant, unprecedented access to sensitive information.

And that’s why it’s vital that businesses take adequate security measures to prevent this type of fraud. One way of doing so is to help your customers choose safer passwords for their user accounts.

And that’s where EyeOnPASS steps in.

Related Posts

May 18, 2018

Facebook CEO Mark Zuckerberg has been in the news for all the wrong reasons lately. And his timing couldn’t be…

May 1, 2018

This year, World Password Day falls on May 3. An initiative devised to make you think about how well you…

April 27, 2018

Cybercriminals steal user credentials in several ways. With this lucrative user data, hackers steal funds, confidential information, and even identities.…

April 3, 2018

A common dictionary attack uses a list of words to guess the passwords for user accounts. It’s a simple tactic…

February 7, 2018

Perhaps you have heard of the huge password breaches that online giants like Yahoo have suffered in the past years.…