What is credential stuffing?
Ever wonder what happens to all those stolen usernames and passwords, like in the recently disclosed Yahoo breach? You may not have had a Yahoo account in decades, but you should still be concerned. Credential stuffing is a type of attack in which the logon credentials stolen from one website are tested across other websites.
How does credential stuffing work?
Credential stuffing begins with a database of stolen credentials. Hackers may acquire these by breaching the website of a social network like Yahoo or any other business or even a government agency. Another way to acquire a database of credentials is by purchasing it on the Dark Web.
It is important to note that it often takes organizations anywhere from 6 months to over a year to realize that they have been breached. By being careful and covering their tracks, hackers ensure a longer “shelf life” of the stolen credentials. Once the breach is discovered and disclosed, many users will change their credentials, making the database less valuable.
Once the attackers have the stolen credentials in their possession, they can use them with one of many tools available for breaking into password-protected accounts. Freely available on the internet, tools like Sentry MBA help the attackers automate the process of testing the stolen credentials across any number of target sites such as popular online retailers, social networks, email, banks, insurance companies, cloud storage, and many others. These cracking tools not only automate and speed up the process of trying thousands of logon credentials across hundreds of sites, but they also offer special features to defeat logon security features like CAPTCHA.
Since many people use the same logon credentials on multiple sites, the attackers can match many credentials stolen from one site to additional sites. This new information can then be used in several harmful ways:
- Steal additional personal information available on the other sites, including your account number, phone number, address, date of birth, or full or partial credit card numbers.
- Change your logon credentials to take control of your accounts.
- Sell the verified login credentials on the Dark Web.
Protecting against credential stuffing
Use unique passwords. You can’t prevent breaches that expose your personal information, but you can ensure the stolen credentials can’t be used on any other site. The simplest and most effective way to prevent this is to use unique passwords for every account. However, don’t be tempted to keep track of them in an unprotected spreadsheet or text file on your computer. Instead, use a password manager application to help you generate strong passwords and store them safely. You will have just one password to remember — the one to your password manager.