Credential Stuffing is a type of cyberattack in which attackers use lists of compromised user credentials to log into websites. The attackers use bots to automate and scale this process. This method is based on the assumption that people reuse usernames and passwords across multiple services.
Roughly 65 percent of all Internet users use the same password for multiple accounts.
Credential stuffing is becoming more common for two reasons:
– Availability of massive databases of breached credentials. For example, there is a known data breach referred to as
“Collection #1”. This specific data breach compromised 22 billion username and password combinations. This information was being circulated on the popular cloud storage service called MEGA for the low, low price of $45. This was not on the Dark Web, this was the regular web.
– More sophisticated bots that allow simultaneous login attempts that appear to originate from different IP addresses. These bots can often circumvent simple security measures like banning an IP addresses for too many failed logins.
There are a few simple ways to prevent Credential Stuffing
– Use unique user names and passwords for different websites or apps.
– Use two factor authentication or multi factor authentication.
– Create a username instead of using your email address as your log in.