In a recent Private Industry Notification, the U.S. Federal Bureau of Investigation warned of a rise in credential stuffing attacks on businesses. More specifically, it warned that credentials stuffing attacks “accounted for the greatest volume of security incidents against the financial sector” at 41 percent.
Moreover, the FBI warned that the consequences of credential stuffing attacks could prove disastrous; financial businesses could suffer downtime, loss of customers, and reputational damage, in addition to costs reaching as much as $6 million per year.
However, these problems don’t just affect financial businesses. An article in InfoSecurity Magazine by Karen Bowen attributed some of the largest hackers of the past year to credential stuffing; these include the Marriott Breach, the Zoom breach, and the attack on GoDaddy.
Both Bowen and the FBI note that frequent exposure of credentials stems from a few different sources. Hackers constantly upload stolen or leaked credentials to the Dark Web, which makes it easier for hackers to perform future credential attacks. Yet users also contribute to this problem by refusing to use unique passwords for all of their accounts.
Preventing Repeating Passwords to Stop Credential Stuffing Attacks
Every repeated password exponentially increases the risk of hackers stealing it and using it in future credential stuffing ploys. In fact, repeated passwords could create a cascading data breach effect, where breach follows breach as more passwords become exposed.
Fortunately, there are a few steps enterprises can take to mitigate or completely prevent credential stuffing. First, you could use a business-level password manager to encourage users to generate strong passwords without fearing forgetting or losing them.
Alternatively, you could embrace different methods of authentication as embodied by multifactor authentication. Credential stuffing doesn’t work (or at least doesn’t work as well) if biometrics, geofencing, and token-detection all play a part in authentication processes.
You can learn more in our Identity Management Buyer’s Guide.
- The Best Identity Governance Tools and Vendors in 2023 - December 31, 2022
- The Best Privileged Access Management Providers for 2023 - November 1, 2022
- The 10 Best Free and Open-Source Identity Management Tools - October 15, 2022