What is Credential Stuffing
While creating a password for your online credit card or internet banking account, you are often asked to create a strong password consisting of a capital letter, special character, number, etc. Do you come up with something complex as aXZvXjkdA(0LJCjiN? The answer could well be a “No”. Usually, we try and come up with something that we can remember easily. For instance, [email protected], which, though satisfies all the preconditions of making a password like it contains a capital letter, a number, and a special character – still is not the password that is hard to break nowadays. It’s worse when you use your birthdates, favorite movie names, favorite Basketball player names, spouse name or even your toddler’s name in your passwords. If this was not enough, we tend to use the same passwords for multiple site logins. Now if even one of the site that you log in is breached by attackers, your login credentials stand exposed and ready to be exploited. Attackers can then take your credentials and supply them into an automated tool. This tool can then run those accounts against a target site to see what credentials will work. Think about what they can do if they can gain access to a retail site or worse, your banking site? They are stealing sensitive information or even worse, transfer money to other accounts they create. This whole activity of fraudulently gaining access to others account is called as Credential Stuffing. With Credential stuffing attack an attacker can use automated scripts and bots to try each credential against a target web site. It uses breached credentials in order to fraudulently gain access to online accounts, and can be considered to be a subset of Brute Force Attacks.
Targets of Credential Stuffing
Apart from a normal Internet users, Credential Stuffing attacks are aimed at organizations in a variety of industries like banking, financial services, government, healthcare, education and more.
Consequences of Credential Stuffing attacks
Victims of Credential Stuffing attacks face financial as well as other tangible losses. Here are some of them: Almost all businesses store some amount of personally identifiable information on employees or customers, and these companies are legally obligated to protect this information. In case of an information breach, the company is bound to face reputation loss in the market. Leaked customer data or business information can often invite regulatory fines. Governments and regulatory bodies can levy stiff fines based on the severity of the breach. These financial burdens can add up and devastate businesses of all sizes. Companies are bound to incur operational costs due to investigations, remediations, and customer management arising out of Credential Stuffing attacks. The cost can scale to millions, depending on the scope of the attack. Customer loss is revenue loss, and most companies are likely to lose customers if they are unable to protect their sensitive business data.
How to prevent Credential Stuffing attacks
Taking some basic precautions is the best way to protect from Credential Stuffing attacks. Here is what all you can do: Stay safe! Heard of Password Spray Attacks by the way?
