Credential Stuffing is a cyberattack in which the attacker uses the list of credentials that are publicly available and then breaks into the system with various types of custom bots and other automation along with IP spoofing to prevent getting blocked.
But as per the reports, only a small fraction of attacks that are carried out result in successful account takeover.
Working of Credential Stuffing:
Generally, the attackers create automated tools like Bots that fetch the credentials from the dictionary of leaked credentials during data breaches and attempt to parallelly log into accounts to get access to web applications while spoofing the IP addresses, so they don’t get blocked by the system because of multiple failed attempts. After the attacker breaks into the system, he intends to obtain personal information, credit card details, or other data that may be private to the user or an organization.
How is Credential Stuffing different from Brute Force:
Credential Stuffing and Brute force are a lot similar, but there are some differences in both methods.
- Usually, during a Brute force attack, the attacker tries to guess the credential with no prior context or information regarding the victim using random strings, everyday phrases, common passwords, or a list of commonly used passwords and tries various permutations of them.
- This attack is a success only and only if the victim has a weak, simple, and guessable password. As the attacker has no prior information regarding the victim, the rate of success is pretty low in the Brute force attack.
Counter-Measures:
The following points should be kept in mind to prevent Credential Stuffing Attacks:
- Make sure the usernames and passwords are not reused across all the platforms, and the username should not be the same as that of the email address.
- Using Multi-Factor-Authentication reduces the chances of Account Hijacking, even if the passwords are compromised.
- Regularly change passwords in case it is compromised, or the services are under a data breach.
- Check whether your credentials were ever involved in data breaches like haveibeenpwned.
- Regularly monitor your account for unusual activity.
For Web Application Users:
- Make sure the user’s passwords are not stored in plain text form and are encrypted properly.
- Using Captcha to prevent bots from attempting to log in.
- Blocking/Banning IPS with suspicious traffic.
- Limiting continuous log-in attempts.