It’s tempting to re-use the same password for multiple online accounts. Many of us have done it (it’s OK; this is a safe space). Convenient as it seems, this action puts you at high risk to get hacked via credential stuffing.

What’s credential stuffing?

This type of attack recycles previously stolen passwords to gain access to a user’s other, unrelated accounts. People using the same password for multiple online logins fuels successful credential-stuffing attacks.

Even if you have a “strong” password, no amount of capital letters and numbers will protect you if it’s used for every account. When password reuse is discovered, it creates an all-access pass for attackers. That means they gain entry into protected accounts full of personal and private information.

Sprocket Security Credential Stuffing 02

How is it different from brute-force attacks?

The difference between a brute-force attack and credential stuffing is this: brute force attacks make repeated attempts to guess your password, while credential stuffing directly attempts to log in using known stolen credentials from publicly or privately available breaches.

How does credential stuffing play out?

For the sake of example, let’s say a user has an account on ABC.com. One day, a hacker breaches the site.

Fast-forward a couple of months. An online attacker targets a company called Acme Corp., an organization that rarely has users update their passwords. The online attacker gets their hands on a list of Acme employees. They search the ABC.com breach from a few months ago for accounts Acme employees had on ABC.com.

In this process, the hacker finds an email address associated with an ABC.com account. The hacker uses the breach to collect this email address and its associated password. Using this password – under the assumption it’s reused -- the attacker attempts to log in to the organizational email portal.

And ... queue victory music … success. The hacker successfully logs into this user’s account, because they now have valid credentials without having to brute force a login portal.

The deadly trio that allowed this hack to happen:

  • Password reuse
  • Lack of regular user password resets
  • Poor cyber hygiene

Sprocket Security The Deadly Hacking Trio

Why is this a risk?

Beyond gaining access to multiple online logins, hackers can leverage successful credential-stuffing attacks to:

  • Exploit other vulnerabilities requiring credentials
  • Authenticate to remote desktop or VPN services
  • Access sensitive company information
  • Carry out more complicated phishing attacks

How can I prevent this?

Take the following precautions to protect your users and your organization from credential-stuffing attacks.

  • Implement Multi-Factor Authentication (you can learn more about MFA, here).
  • Make sure users regularly reset their passwords.
  • Ensure updated passwords cannot be identical or similar to previous ones.
  • Include an explanation of credential stuffing and prevention methods in your security awareness training.
  • Register for services that monitor breach data. These will notify you if users with your domain are identified in a breach. Try haveibeenpwned -- specifically, its domain search services -- to check if you have an account that’s been compromised in a data breach.
  • Continuously audit users’ passwords against commonly used password lists and breach data.
  • Only expose vital authentication endpoints.