The dark web is no friend and as of today, it holds several accounts on various business communication platforms. The reason behind all of it is “Credential Stuffing”. Online platforms are always a hotbed for various levels of crimes. Cybercriminals attack the slightest security flaw to get into the system and in this case, acquire databases of the platforms they get into. The stolen information is sold in exchange for Bitcoin.
Understanding Credential Stuffing
Credential stuffing is a cyber threat of stolen user credentials which can be further used to get into various systems. The use of bots for automation and scale is used makes the work easy. Also, users tend to use the same credentials across the site and these attackers take advantage of it. It has been statistically proven that these attacks work due to successful login on a different site. Take an example for better understanding: Suppose you an account a particular site called, “XYZ” and it was breached at a certain time, but then you got your account recovered. But your username and password were taken by the criminals which they can use to try and login to various other sites you might have an account on. And as it is very simple and obvious for people to use similar credentials across platforms, the other accounts are attacked. The whole process can be easily automated using software, the hackers or criminals access all your data and can spoof around websites by feeding data to various login forms.
Practices to protect yourself from Credential Stuffing attacks
Giving proper attention to security is the need for every platform you work on, be it online or offline. Protecting yourself from credential stuffing is very simple as all you have to do is practice the regular security norms we have always been asked to.
Practice using Unique Passwords: It is always advisable to use unique passwords for each website you login to. So even if attackers or hackers get the credentials of one account, they will not be able to be successful in the other attempts.
Use a Password Manager: It is common and obvious for many users to forget their passwords if they are associated with various websites by using unique and strong passwords. Using a password manager will not only resolve the issue for you, but also help in generating new ones. You can choose from paid and free versions of password managers available online.
Two-Step Authentication: You must have come across two-step authentication if you have a Gmail account. Gmail suggests you to enable two-step authentication. This involves the second tier of authentication through code sent to you by SMS. In this case, even if the hackers have your credentials, they won’t be able to log in.
Get Notifications: You can use various services to check if your credentials have been leaked. On appearance in a leak, you will be notified.
Norms to be followed by Services to avoid Credential Stuffing:
Even though it is your responsibility to practice password protection to the best, the services you have associated withhold equal responsibility in making their platform safe enough to keep away from credential stuffing. Here are certain ways that can be considered by services:
Regular scanning of leaked databases: If a service always scans the leaked databases and cross-reference them with their login credentials, they can be aware of the leak and also can make the user aware of it. Whenever a match is found, the service can prompt the user to change the password, and thus, the snooping stops.
The offering of Two-Step Authentication: Two-step or two-factor authentication, stops the login from the roots. With two-step authentication, a user is sent a unique code to their linked device after filling out the credentials to verify themselves. In such a case the intruders will fail from the beginning.
Mandatory Captcha: Sometimes on logging onto a website, you are asked to enter the characters in the image or do a calculation. This is to verify that it is not a bot activity. Since, credential stuffing activity , mostly use bots to login to various accounts, the presence of mandate captcha will not allow the logging in.
Limiting Repeated Logins: Most developed and sophisticated bots trying out the automated login, try to login from different IPs so as to hide the unusual activity under the umbrella. When you restrict the number of continuous logins within a short time period, you are able to notice unusual behavior and take action.
With the proper understanding of password practices and indeed practicing them is the first step towards securing yourself from credential stuffing. Poorly secure sites are vulnerable to credential stuffing and you should be a wise user and avoid using them. There is always an evil around the corner, you just need to know the trick to avoid the same.