There are a lot of headlines around data breaches and how billions of user credentials (usernames and passwords) have been exposed publicly over the last few years. The natural question that comes up is:
“What do cybercriminals do with these stolen credentials?”
Apart from using them to attempt logins to the breached website itself, the second most common thing cybercriminals will do with stolen credentials is to use them in an attack called “credential stuffing.”
Credential stuffing is a fairly straightforward technique whereby an attacker will use an automated script or application to iterate through their list of stolen credentials, trying each credential against a target web application or list of applications. Whenever a successful login is found, it is recorded for later exploitation.
This attack vector is so effective because 78% of individuals use the same password for more than one account. 52% use it for at least three accounts. Password reuse is a major cybersecurity risk because it enables attackers to breach multiple accounts with just one set of stolen credentials.
Let me illustrate further with an example:
Jane has a LinkedIn account. Her account credentials were exposed in the massive LinkedIn breach from a few years back. Unfortunately for Jane, she happens to be one of the users who reuse the same credentials across multiple websites.
After the LinkedIn breach goes public, LinkedIn makes Jane reset her password. However, Jane doesn’t realize that she needs to update her password not just on LinkedIn, but everywhere else she is using the same login credentials (or perhaps she does, but with an average of 90 online accounts per user, it’s likely she missed some).
Enter Jake. Jake has gained possession of the LinkedIn list of stolen credentials and is a budding cybercriminal. Using an application called Sentry MBA, Jake sets up the LinkedIn list and looks for hits against his favorite shopping site, Amazon.
As it so happens, Jane used the same password for Amazon as she did on LinkedIn and has left her credit card tied to her account. Once Jake has his list of hits, he starts logging into Amazon accounts, looking for ones with home addresses in the same town as him. He happens upon Jane, who fits the bill. The next thing you know, Jake has ordered some pricey items using Jane’s Prime account and lies in wait outside Jane’s house on the day of delivery to snatch the parcels once they are delivered, all before Jane even knows the order was placed.
This is just one example of a credential stuffing attack and the negative outcomes that can follow. Imagine if, instead of focusing on Amazon, Jake had instead tried to use those credentials to log into Jane’s employer’s corporate account. The attack could lead to a massive enterprise security breach, exposing sensitive corporate data and business operations to cybercriminals.
Credential stuffing attacks are a major risk to enterprise security. Organizations store vast amounts of sensitive data, and if an employee account is compromised, attackers can escalate privileges, access internal systems, and cause financial and reputational damage.
Organizations must implement cyber defense strategies and educate employees on the risks of password reuse to prevent credential stuffing attacks before they lead to account compromise.
Enzoic provides enterprise security solutions to protect against credential stuffing attacks and automated login breaches.
Our platform offers:
Enzoic can help protect your website, your company, and your users from credential stuffing attacks by preventing users from using known, compromised credentials. Contact us for more information.
Read more:
– Evolving Password Based Security to Fight Compromised Credentials Attacks
– Credential Stuffing Attacks vs. Brute Force Attacks