What is a credential stuffing attack? Explained…

We discuss what credential stuffing is, how it works and how you can avoid this type of Internet attack.

Most will know that to log into your account on many websites or apps, you most likely need your username or email, along with your password. Despite being a poor security habit, many users will use the same username and password combinations for multiple accounts.

This isn’t recommended because if crooks manage to obtain a user’s username and password for one account, they will also be able to gain access to multiple accounts belonging to the same user.

This is essentially what credential stuffing is; entering a compromised username and password from one account into the login pages of other sites and apps in order to gain unauthorised access to those accounts.


Sponsored Content. Continued below...




Credential stuffing is usually a type of large scale attack, meaning crooks using this type of attack will be working from a large volume of compromised usernames and passwords, which would typically have been made available as a result of a large data breach , such as the Yahoo or MySpace data leaks.

Often, these lists of leaked usernames and passwords may number in the hundreds of thousands, even millions. As such, crooks will typically employ software that works through the list and automatically injects usernames and passwords into the login pages of various websites and apps, looking for successful logins.

Successful logins are noted down, meaning the crook now has access to those accounts.

How to avoid credential stuffing

There are two effective ways to make sure you are not the victim of credential stuffing.

The first and most effective method is to never use the same password across multiple accounts. Since this attack relies on using a compromised username and password from one account on other Internet accounts, making sure you use different passwords for each account will ensure that any attempts to login will fail.


Sponsored Content. Continued below...




It is worth remembering that credential stuffing attacks often use login information stolen directly from companies with whom you may have an account. This means regardless of how cyber savvy you are, you’re always vulnerable to having your username and password leaked in this way, and as such it is always recommended to use different passwords across different accounts. The easiest way to do this is by using a Password Manager which an estimated 23% of Internet surfers already use and that number is rising (click here for our recommended software.)

The second method to avoid credential stuffing attacks is to enable two-factor authentication on websites that provide such a feature. This means anyone wanting access to your account will need to provide something else other than the account password. This could mean a text code sent to a phone, a USB authentication key or a code generated by a third party app.

Enabling two-factor authentication means that even if you do use the same username and password across multiple accounts and a crook obtains that information, they can’t login to your accounts because they don’t have access to that additional layer of security.