Credential Stuffing Guide: How to Protect Your Business

We live in a society where almost every important transaction or exchange occurs online via web programs and websites. Everything from entertainment to commerce to banking can be completed through the Internet. The variety of online services has changed how our society behaves and what information is important to us. Part of our online society involves creating accounts on various websites and portals to access our data. 

For commerce websites, this usually includes credit card information and billing addresses, while others store other information that might be considered sensitive. Even our social media accounts can contain information best kept private. Regardless of the type of website, these accounts are usually secured through login credentials consisting of a username or e-mail address combined with a password. These credentials are designed to make us feel secure when creating an online account with a domain that handles sensitive data.

Unfortunately, cybercrime has become more prominent in recent years despite the uptick in security protocols designed to hinder them. While we constantly enhance software to make it more difficult to penetrate, skilled hackers and cybercriminals have learned to bypass firewalls. Not every system is easily breached, but all of them are vulnerable if the cybercriminal has enough time and skill. 

Our credentials to log into certain websites and programs are not inherently secure. One tactic that has become a common issue is credential stuffing, which might not be a term familiar to you if you are not well-versed in cybersecurity. Unfortunately, you must still be prepared to protect your corporate database from this attack.

A Secure Username and Password
Table of Contents

What is Credential Stuffing?

Credential stuffing” might sound like a strange phrase, but it is one of the more common and dangerous cyberattacks in recent history. The practice relates to the credentials we use to access our countless accounts throughout the day. We all make different accounts since many daily activities and obligations are automated through online domains. 

Some accounts are innocuous entertainment profiles for websites like Netflix or Hulu, while others are social media accounts like Twitter or Instagram. We even maintain profiles for online shopping on websites like Amazon or eBay, which allow us to purchase things without leaving the comfort of our homes. These profiles, and countless others, have redefined our experience in modern society, but they all come with an inherent issue. Online commerce puts sensitive information on a network that anyone with the proper login credentials can access.

Our login credentials are meant to restrict access to our personal profiles so that only we can log onto the website. These credentials usually consist of an e-mail address (some websites allow usernames unique to the platform instead) and a password we create to protect against unauthorized access. 

Every major cybersecurity expert and organization agrees that, while we only have one or two e-mail addresses, no one should use the same password or a different version across multiple accounts. 

For example, your password for Netflix should radically differ from your password for your e-mail account. Unfortunately, not everyone follows this advice and recycles the same password, so they are not forced to memorize multiple passwords. This is where credential stuffing becomes a threat. Credential stuffing might sound like a brute-force attack to break into an account, but it is actually a much more advanced attack on a far larger scale.

Person Entering Login Credentials

Credential stuffing is a byproduct of a previous, successful cyberattack that gives cybercriminals access to someone’s login credentials on a website. Usually, these credentials are acquired following a data breach within a large company that the cybercriminal uses to acquire the customers’ login information. 

Once they have that information, they create an automated system that uses the credentials acquired on one website and use them to try and access accounts on other websites. For example, let’s say Instagram’s firewalls are breached, and thousands of users have their e-mail addresses and passwords stolen from Instagram’s database. The cybercriminal would use those details to try and access other things like bank accounts, shopping profiles, and streaming services. 

The difference is that those platforms all contain financial information like credit card numbers, billing addresses, and other details from which criminals could profit.

Credential stuffing differs from traditional brute-force attacks because of the automation. Cybercriminals do not have to guess passwords since they acquired them from another platform. Instead, they use automated login attempts on a large scale to use a victim’s login credentials on multiple platforms on which they might have an account.

How Does This Affect Businesses?

Considering businesses are large organizations rather than individuals with somewhat predictable login credentials, you might assume credential stuffing has nothing to do with your company. Unfortunately, businesses are no more immune to credential stuffing attacks than their customers are. A credential stuffing attack can be harsher on companies because they store sensitive information about the business and its customers. 

The data breach we mentioned in the previous section is one of the leading issues that cause credential stuffing risks for individuals. Unfortunately, a cybercriminal can launch a credential stuffing attack on a business without targeting the entire network. Depending on your business’s services, you likely have a central network that your company uses to let employees access information relevant to their role. Accessing this network is typically restricted with login credentials, just like an ordinary website or network.

While having your employees use login credentials to access your in-house network is an effective strategy, it opens them up to the same weaknesses. Most companies allow their workers to personalize their passwords, even if their company e-mail address or username is premade. As a result, many professionals might create passwords similar to or identical to those they use on their personal accounts. 

While this makes accessing the network more convenient for the employee, it does not help the business maintain a secure network. If your employees use the same password for work they use in their personal lives, any breaches involving their data put your network at risk. If one of your employees is the victim of a data breach via a service they use (Netflix, Amazon, etc.), then their password might be stolen by the responsible party. On the surface, this has no impact on your business, but if your employee uses the same password for their work credentials, a credential stuffing attack might extend to their corporate login.

An Identified Data Breach

It is not complicated to figure out where someone works, especially since most social media platforms allow users to list their employer. Therefore, a cybercriminal could use that information to try and access your employee’s work login and access the data they handle for their job. 

This endangers clients under that employee’s purview since their information could be stolen due to your employee’s carelessness. This is especially problematic if your company uses 3rd party platforms to store information or access data. If the right employee’s information is stolen, your entire consumer base could be at risk of credential stuffing attacks (assuming their financial data is not already on file with your company).

Essentially, a business is the first stop for cybercriminals who employ credential stuffing attacks since it gives them a shopping list of potential victims. Other cyberattacks could jeopardize your network, but credential stuffing is a common enough problem that you must be vigilant against it. Fortunately, it is possible to protect your network against this particular attack if you exercise the proper security measures. The question is a matter of what those security measures entail.

Enforce Enhanced Passwords

One of the biggest ways to protect against credential stuffing attacks is to require your employees to maintain high-quality, unique passwords. Typically, most passwords are unique and combine letters, numbers, and symbols, but their effectiveness is reduced when the same password is recycled. It is within your rights to enforce a company policy mandating that all employees create passwords meeting certain criteria. You can require company passwords with capital letters, numbers, and symbols to enhance their strength. 

You might even be able to require the passwords to meet a certain character length. Enforcing the latter makes it more difficult for your employees to recycle their personal passwords for an office setting. Mandating a minimum length of 12 characters is highly effective since the best passwords typically have at least 11. This is also ideal since the average person only has a password of between 8 and 10 characters.

A Strong Password

While you cannot force your employees to provide the passwords they use for personal accounts, you can institute these regulations to maintain a standard for in-house passwords. Unfortunately, some individuals use passwords that meet these criteria for their own accounts. Therefore, enforcing enhanced password regulations is insufficient to protect against credential stuffing properly. Fortunately, there is another option that is almost more effective.

Institute Multi-Factor Authentication Practices

Login credentials are designed to be the first layer of protection for most accounts, especially online platforms. While a strong password can ward off amateur hackers and cybercriminals, those with a storied history of cyberattacks can bypass them. Credential stuffing allows them to attack accounts simultaneously, but it is an automated attack that only focuses on digital protection. 

Passwords and usernames can be acquired from databases because they are immutable details that are repeatedly entered to access a specific platform. Fortunately, many websites and security tools allow for two-factor or multi-factor authentication. This adds a secondary layer of security by requiring details that are not digitally stored and vary depending on the type:

  • Two-Factor Authentication: Two-factor authentication involves the same credentials normally used to log into a profile. The difference is that once the username and password are entered, the user must also enter additional information.
  • Multi-Factor Authentication: Multi-factor authentication is similar to two-factor authentication but takes it a step further. Rather than only requiring one additional piece of information, multi-factor authentication requires at least 2 additional login credentials.

Multi-factor authentication is considered the safest and most effective option since even credential stuffing attacks cannot access everything. Some tools employ codes that constantly change and must be entered whenever the user attempts to log in. This method ensures the secondary credential is never static and cannot be memorized while also only providing the code when the user has physical access to their mobile device. 

Multi-Factor Authentication

Other forms of secondary authentication involve biometric identification like fingerprints or facial recognition. Not every office can afford biometric authentication, but it prevents cybercriminals from accessing a profile without physical access to their victim.

Employing multi-factor authentication is one of the best ways to secure your network against credential stuffing. Since the attack relies on passwords and usernames, it is almost impossible for the attack to compensate for additional authentication measures. Unfortunately, credential stuffing is only one kind of cyberattack in a world where new tactics are being devised daily. The only true way to defend against cyberattacks is to maintain a fully staffed cybersecurity team, which can be difficult if you do not have the resources for an in-house team.

Technically Speaking…

Credential stuffing is a common cyberattack but not the most dangerous. There are countless cybercriminals in the world who have the knowledge to launch more advanced attacks with more advanced programs. Nevertheless, protecting against credential stuffing is essential to protecting your business and your customers. Fortunately, credential stuffing is relatively easy to counteract if you institute the proper protocols and tools. Unfortunately, your biggest issue will be defending against other attacks since you will need a full complement of cybersecurity experts. If you cannot create an in-house department, there are still options.

Secure Login Credentials

We at U.S. Cybersecurity know how important it is to protect yourself against cyberattacks, which is why we refuse to let any company go without a proper defense. We offer full cybersecurity services on a 3rd party basis, allowing you to forgo the expense and hassle of creating an in-house team. We can create password protocols and institute multi-factor authentication for your team, so credential stuffing is a distant concern. We can also protect you from more complex and devastating attacks. We encourage you to visit our website and secure your network. We are standing by and ready to assist you.

Herman McCargo

Herman is a Microsoft Certified Security Engineer and Cybersecurity Specialist. He’s been in the technology field for over 20 years and has expertise working with the most critical technology infrastructures. He has a deep understanding of cyber risks, threat mitigation and prevention, and overseeing infrastructure.