Cybercrime is on the rise, and many cybercriminals are targeting small- and medium-sized businesses instead of large corporations. Californians know this firsthand, as the Golden State led the nation in most losses due to cybercrime in 2020. One of the most commonly used methods crooks use to steal personal and financial information is credential stuffing.
What is credential stuffing?
Credential stuffing is a cyberattack in which stolen credentials — typically from a large-scale data breach — are used to attempt to log in to an account unrelated to that data breach. For instance, the login credentials compromised in the 2013 Yahoo! hack are still being used by cybercriminals today to gain access to non-Yahoo! accounts. Every so often, cybercriminals get lucky and a login combination works for an online account, which they then swiftly commandeer or clean out.
How is credential stuffing different from brute force attacks?
Brute force attacks, in general, use trial and error to guess login information. These attacks are done by "brute force," which means hackers bombard the login wall with any and all login combinations they can guess in the hopes that one would allow access into the account.
According to the Open Web Application Security Project, credential stuffing is actually a type of brute force attack. But unlike generic brute force attacks, credential stuffing operators use stolen login credentials for sale on the dark web to attempt unauthorized logins. It’s like buying a set of keys at a sketchy flea market and trying them on random doors you come across to try to gain entry. And by a stroke of luck — however rarely — a key could open a door and let you steal what’s inside.
What makes credential stuffing effective?
Credential stuffing is effective due to a combination of variables. It leverages the likelihood of people using the same login credentials for multiple accounts. It also takes advantage of automation, as cybercriminals can simply procure stolen login databases and use sophisticated coding to automatically input each credential to target login portals. Lastly, it rides the scale of the breach to its advantage.
The Yahoo! breach is a great example of the last variable, as the company’s decision to leave their users in the dark about the breach basically gave would-be credential stuffers a solid head start in their operations.
RELATED ARTICLE: A handy network security checklist for small businesses
How can I prevent credential stuffing attacks?
Prevent credential stuffing by having proactive measures in place. Here’s what you can do:
For your staff
Make it a company policy to use unique passwords for each service/account your employees use. Passwords should also meet certain length and complexity requirements, such as having a minimum character count and using special characters. Also make it a requirement to use two-factor authentication through a reputable authentication app like Google Authenticator. Lastly, employees should be mandated to change their passwords every two weeks or so.
For your infrastructure
You can improve your password protocols by implementing a trusted password manager. Password managers are a great investment because they boost your cybersecurity while helping employees keep track of their passwords. It also makes it easier for your IT staff to stay on top of accounts management, especially those accounts and services that are shared between several users in the organization.
Protect your information system with good IT hygiene and proactive defenses. For advanced threat protection, contact USWired. We can help you keep credential stuffers at bay. Call us today to set up a consultation.