Credential Stuffing

  • Fabian Sinner
  • June 21, 2023

Table of content

    Credential Stuffing

    Cyber attacks have become an omnipresent threat in the age of the Internet and digital identities. One method gaining popularity and poses significant risks for online users is so-called “credential stuffing”. 

    What exactly is Credential Stuffing?

    Credential stuffing is a cyberattack in which an attacker uses stolen username-password combinations to access different online accounts. In this process, the stolen credentials are automatically tried against a large number of websites and services – always hoping that users will use the same credentials for multiple accounts. 

    The credential stuffing method is characterized by its comparatively simple approach. Attackers take advantage of the fact that stolen usernames and passwords, often obtained from data leaks or hacks of websites, are commonly reused. By using automated tools and bots, attackers can try the obtained credentials en masse and access all accounts for which a user uses the same credentials as the compromised accounts. 

    Why is Credential Stuffing so effective?

    The main reason why credential stuffing is often successful is due to the poor security practices of many users. Many people use the same usernames and passwords for multiple accounts to avoid having to remember many different credentials. Since attackers try stolen credentials at various websites, they have a good chance of success. 

    How can you protect yourself against Credential Stuffing attacks?

    Besides using strong passwords and unique username-password combinations, there are several additional security measures you can take to protect yourself from credential stuffing attacks.  

    One method that is now commonly used is two-factor authentication (2FA). Be happy to enable two-factor authentication wherever it’s available. 2FA adds an extra layer of security to the login process by requiring another verification step in addition to the password, such as confirming the login with an SMS code, email code or verification call. 

    Another method to prevent credential stuffing is to use a password manager. This helps generate strong and unique passwords for each account and manage them. Password managers can also help store credentials securely and automatically insert them into the appropriate fields when you log in. 

    Also, keep your operating system, browser and other software you use up to date. Updates often include important security patches that can close potential vulnerabilities. 

    Scammers are getting better at discovering your details, and they also like to try via email. Therefore, be wary of suspicious emails, links or messages from unknown senders that aim to steal your credentials. Learn to recognize phishing attempts and be careful with any credentials. 

    Also, a popular way to prevent credential stuffing is to use security questions. However, avoid common or easy-to-guess security questions. Instead, choose unique questions and answers or better yet, use an alternative method for authentication. 

    It is also helpful to enable notifications or alerts that inform you about suspicious activity or failed login attempts on your accounts. 

    Last, you should check that all the websites you use employ HTTPS encryption to protect credentials during transmission. 

    In a nutshell: Protective measures against Credential Stuffing

    • Use of a unique username-password combination 
    • Enabling two-factor authentication (2FA) 
    • Use of a password manager 
    • Performing updates to keep the operating system and software current 
    • Detecting phishing attempts 
    • Using security questions 
    • Enabling alerts for login attempts 
    • Observing HTTPS encryption of websites 

    How do you spot suspicious activity in the user account that could indicate a credential stuffing attack?

    There are definitely signs you should look out for to detect suspicious activity that could indicate a possible credential stuffing attack.  

    These include these phenomena: 

    1. Unknown login activity: If you notice login activity in your account that you did not perform yourself, this may indicate unauthorized access. Review login histories and pay special attention to login attempts from unusual locations or unknown devices. 
    2. Frequent failed login attempts: If you receive repeated notifications of failed login attempts, even though you didn’t make them yourself, it could mean that someone is trying to gain access to your account with stolen credentials. 
    3. Changes in account information: Watch out for unexpected changes in account information, such as new email addresses, phone numbers, or passwords that do not belong to you. An attacker could try changing this information to control your account. 
    4. Unknown activity: Check your account details for unusual activity, such as new connections to other accounts, suspicious messages, or unknown transactions. These could indicate that someone has accessed your account without authorization. 
    5. Receiving phishing emails: suspicious emails asking you to reveal your credentials or personal information could be attempts to obtain your account information. It is imperative that you verify the authenticity of such emails before responding to them.

    What to do if your credentials are affected by a Credential Stuffing attack? 

    If your credentials are affected by a credential stuffing attack, it is important to act quickly to limit the damage and protect your account. 

    First steps after a Credential Stuffing attack

    Immediately change the password for the affected account. Choose a strong and unique password not previously used for other accounts and avoid easily guessed information. If you haven’t already, enable two-factor authentication (2FA) for the affected account now, so that every login from now on must be confirmed with a code sent to a second device.  

    Also, check whether you use the same credentials for other accounts. If so, please change the password there immediately to prevent the attacker from gaining access to additional accounts. 

    Also, contact the customer support of the affected website or service and inform them about the incident so further measures can be taken if necessary. 

    Further steps to avert greater damage

    Monitor activity on your accounts, especially after a cyberattack. Watch for unusual login attempts and familiarize yourself with available monitoring features. 

    Continue to check if your credentials were included in a publicly disclosed data leak. Several websites and services monitor data leaks and allow users to check if their own credentials have been affected. If so, act proactively and change the passwords for those accounts as well. 

    If you have credit card data stored in the affected account or notice any suspicious transactions, contact your bank or credit card company immediately to prevent possible financial damage. 

    Pay special attention to phishing attempts in the following weeks. Attackers may try to take advantage of the confusion after an attack by posing as customer support and trying to get more information or credentials from you. 

    By following these steps, you can secure your affected account and minimize the risk of further access. We also recommend developing good security habits in the future to protect yourself from future credential stuffing attacks. From using unique and strong passwords to regularly monitoring account activity to enabling two-factor authentication, numerous options can help you stay safer online.  

    Do you have questions about your companies general cybersecurity? Our colleagues will be happy to answer them all.

    Link11 Discovers Record Number of DDoS Attacks in First Half of 2021
    Link11 presents its advanced Cloud Security Platform at it-sa