Credential Stuffing Attacks Are On the Rise

Philip BaderCybersecurity, VulnerabilitiesLeave a Comment

One of the most common pieces of advice about online security is to change your passwords on a regular basis. As it turns out, this common sense approach is more important than ever. Federal agencies and cybersecurity experts have all issued recent warnings about an escalation in so-called credential stuffing attacks.

Last week, VPNMentor issued an incident report about the targeting of user accounts on the Spotify music streaming platform. The attacks potentially exposed the accounts of up to 350,000 members. 

The Securities and Exchange Commission also issued a recent risk alert highlighting an escalation in credential stuffing attacks against investment advisors and brokers. To further underscore the threat, the Federal Bureau of Investigation issued its own Private Industry Notification for financial institutions.

How Credential Stuffing Works

Credential stuffing is a hacking technique that employee automated tools and botnets to attempt user authentication across multiple online platforms using credentials stolen in data breaches. The process takes advantage of the fact that many people tend to use the same login credentials for several of their user accounts. 

The process is similar to brute force hacking, in which attackers can successfully guess a common or particularly weak password. But credential stuffing works far more effectively. It relies on access to even strong passwords that are being reused. Then automation makes the process of testing other accounts much more efficient. 

For example, attackers can carry out attacks on a massive scale by using automated bots that fabricate IP addresses. This allows for simultaneous authentication attempts across multiple platforms. It also allows attackers to avoid security protocols that block access when an IP address has too many failed login attempts.

How Big Is the Threat?

Hackers regularly trade in stolen billions of stolen credentials. This stolen data is the fuel for credential stuffing attacks. In one study, cybersecurity analysts at Akamai detected 55 billion credential stuffing attacks over a 17-month period between November 2017 and March 2019. 

The study found that certain industries were more likely to be targeted than others. The financial sector, retail, media streaming and gaming industries were heavily targeted. But the report concluded that no industry was safe from potential attack. Hackers have even exploited customer loyalty programs. 

Warning Signs of an Attack

Given the prevalence of stolen data circulating freely online, it’s increasingly likely that companies large and small will experience an attack. Here are some guidelines that cybersecurity experts say can help you spot an attack:

  • Pay attention to multiple login attempts on multiple accounts
  • Take note of any jump in site traffic as well as recorded downtime caused by it
  • Analyze use cases when you see higher than normal login failure rates

Common Sense Steps to Protect Your Accounts

Keeping yourself safe from cyberattacks can be daunting. So much of our personal information exists in digital form. And malicious actors seem to get better each year at finding and stealing it for their own gain. But here are some practical steps to limit your exposure.

  • Don’t duplicate credentials: Never use the same credentials for multiple accounts. Credential stuffers are banking on the fact that you will. So make sure you disappoint them.
  • Set a strong password: Don’t use anything obvious. If necessary, use a password manager program that allows you to easily store even the most complex credentials with the fear of forgetting them.
  • Change your passwords regularly: Data breaches happen quite regularly. And you might not hear about the possible exposure of your credentials. Regularly changing passwords can be a good preventative measure.
  • Use multi-factor authentication: Make sure that you add this extra layer of protection to all accounts that have the capacity for it.

As new data security threats evolve, technological solutions need to keep up. At SecureData, we pride ourselves on providing industry-leading strategies to keep your information safe from those who try to exploit it. 

Our SecureDrive and SecureUSB hardware encrypted storage devices feature DriveSecurity® antivirus software powered by ESET, FIPS 140-2 Level 3 Validation, hack-proof interior design, and remote management capabilities to protect against data breaches if they are lost or stolen.

SecureData also offers industry-leading data recovery and digital forensic services in the event that you experience data loss. Call us at 1-800-520-1677 to learn about how we can help keep you safe online and protect your most sensitive information from cyberattacks.