What is Credential Stuffing?

Credential stuffing is a type of cyberattack where cybercriminals take large databases of usernames and passwords, often stolen through recent data breaches, and attempt to “stuff” the account logins into other web applications using an automated process. Such attacks are common, as 63% of the data compromised in social engineering attacks were login credentials.

In a credential stuffing attack, the fraudster uses access to consumer accounts to make fraudulent purchases, conduct phishing attacks and steal information, money or both. Credential stuffing is especially dangerous for consumers who use the same username and password combinations for more than one account, giving a cyber thief access to all those accounts at once.

In July of 2022, for example, more than 190,000 accounts were compromised in a credential stuffing attack against the popular outdoor retailer, The North Face. As part of its response, the company reset all user passwords and encouraged customers to choose unique, long passwords — and to update any accounts that shared those exposed passwords to prevent those accounts from suffering the same fate.

Given the number of accounts and transactions conducted online, it’s important to understand credential stuffing and how to protect your personally identifiable information (PII) and login details.

HOW DOES CREDENTIAL STUFFING DIFFER FROM A DATA BREACH?

A data breach often precedes a credential stuffing attack. Hackers breach (i.e. illegally access) a company’s database of customer information to either misuse the information for identity fraud or sell the stolen data on the dark web. If that stolen information includes login credentials, cybercriminals can purchase it to execute credential stuffing attacks.

QUICK STATS ON STOLEN ACCOUNT INFORMATION

• 15 billion stolen account credentials circulating on the dark web
• 85% of data leaks include emails and passwords
• 1 in 4 identity crime victims later becomes a victim of identity theft
• 40% of all fraud activity associated with an account takeover occurs within 24 hours

WHAT IS THE HARM IN CREDENTIAL STUFFING?

PCMagazine reports that 70% of people use the same password for multiple accounts. When login credentials are exposed to hackers, even once, they can be used to access a multitude of accounts, whether it is an email account, health insurance or online store. The criminal gains unlimited access to all the personal information, financial account details, medical information or other sensitive data within each account. This leaves you not only vulnerable to account takeover fraud, but also credit card fraud, medical identity theft, tax fraud and identity theft.

WHAT DO I DO IF I’M A VICTIM OF A CREDENTIAL STUFFING ATTACK?

Often, victims of credential stuffing do not recognize that their accounts have been accessed by a third party until they review their past transactions or attempt to log into a less frequently used account. If you believe your account has been hijacked, update your password immediately and contact the company to sort out any fraudulent charges or changes made to your account information. Also, report the credit card fraud to your credit card company and place a fraud alert if you have other online accounts with your cards attached. You may also consider freezing your credit.

5 SIGNS OF A CREDENTIAL STUFFING ATTACK

1. You are unable to access your account because the login information is incorrect.
2. You are notified that your account has been locked due to “too many login attempts,” which you have not made.
3. You receive an email confirmation that your password has been updated without your consent.
4. You detect fraudulent charges made using the bank accounts linked to certain online accounts.
5. You stop receiving email notifications for accounts, which can indicate their email address was changed to direct notifications to the hacker.

HOW CAN I PROTECT MYSELF FROM CREDENTIAL STUFFING?

Updating old and duplicate passwords is the first step in protecting yourself from credential stuffing attacks. Consider using a password manager: It gives you one secure location to safeguard and manage your unique, hard-to-crack passwords. A password manager also makes it easier to update your passwords more frequently, especially after every notification that a data breach has compromised your information. IdentityForce, a TransUnion brand, includes a password manager to help you securely store and create strong passwords in one localized place.

Monitor your credit and account transaction history for fraudulent charges made to your account. Criminals often start by making small, hard-to-detect charges to test an account’s viability before escalating to more significant purchases.

Two-factor authentication (2FA) or multi-factor authentication (MFA) creates an extra layer of security that forces identity thieves to do more than crack a password. Two-factor authentication involves combining two of something you know (a password), something you have (a mobile device or email) or something you are (biometric identifier). Keep your accounts safe from credential stuffing by enabling 2FA everywhere it’s available. And although this additional step may feel like a hassle when you are trying to speed through some account management or online purchase, it’s worth the effort.

Diamond Credit Union has partnered with CyberScout , a Sontiq brand, to offer comprehensive identity management services. If you detect suspicious activity or would like to proactively protect your identity, contact us at 610-326-5490 to be connected to a CyberScout fraud expert.

LEARN MORE ABOUT CYBERSCOUT AT DIAMOND