Credential Stuffing Attacks on the Rise. What Can You Do?

Credential Stuffing Attacks on the Rise. What Can You Do?

In a recent Private Industry Notification, the U.S. Federal Bureau of Investigation warned of a rise in credential stuffing attacks on businesses. More specifically, it warned that credentials stuffing attacks “accounted for the greatest volume of security incidents against the financial sector” at 41 percent. 

ALERT: Cyber threats don’t rest, even during global pandemics. You can learn more with the Solutions Review Identity Management Buyer’s Guide and our other resources. 

Moreover, the FBI warned that the consequences of credential stuffing attacks could prove disastrous; financial businesses could suffer downtime, loss of customers, and reputational damage, in addition to costs reaching as much as $6 million per year. 

However, these problems don’t just affect financial businesses. An article in InfoSecurity Magazine by Karen Bowen attributed some of the largest hackers of the past year to credential stuffing; these include the Marriott Breach, the Zoom breach, and the attack on GoDaddy. 

Both Bowen and the FBI note that frequent exposure of credentials stems from a few different sources. Hackers constantly upload stolen or leaked credentials to the Dark Web, which makes it easier for hackers to perform future credential attacks. Yet users also contribute to this problem by refusing to use unique passwords for all of their accounts. 

Preventing Repeating Passwords to Stop Credential Stuffing Attacks

Every repeated password exponentially increases the risk of hackers stealing it and using it in future credential stuffing ploys. In fact, repeated passwords could create a cascading data breach effect, where breach follows breach as more passwords become exposed. 

Fortunately, there are a few steps enterprises can take to mitigate or completely prevent credential stuffing. First, you could use a business-level password manager to encourage users to generate strong passwords without fearing forgetting or losing them. 

Alternatively, you could embrace different methods of authentication as embodied by multifactor authentication. Credential stuffing doesn’t work (or at least doesn’t work as well) if biometrics, geofencing, and token-detection all play a part in authentication processes.

You can learn more in our Identity Management Buyer’s Guide.


Ben Canner