Credential stuffing prevention is one of the most significant cybersecurity defences a website or organization can implement today. By securing and protecting your users’ data with account takeover prevention methods, you can go a long way towards stopping costly and embarrassing breaches.
Credential stuffing attacks are among the most common causes of data breaches. This technique is made possible because around 65% of all people reuse passwords on multiple accounts, meaning that once account cracking hackers have that information, it’s simple to re-use it.
The scale of credential stuffing attacks is only increasing globally. A 2020 study by Risk Based Security found that the number of reported data breaches more than halved compared to the same period 12 months prior. However, more than 27 billion records were compromised in six months - nearly double what was leaked in the whole of 2019.
What is credential stuffing and why do hackers do it?
Credential stuffing is the automated use of usernames and passwords that have been obtained through hacking. These hacks can be coordinated by the party carrying out the credential stuffing attack, or hackers can purchase pre-obtained logins from the dark web.
Automation bots rapidly enter stolen login details across a network of websites, and while they’re only successful around 0.1 - 0.2% of the time, the result can mean private information and credit card details can be easily obtained.
Credential stuffing attacks are popular because they’re able to sweep a wide range of sites much faster than if the information was being entered manually. Not only that, but bots can distribute their requests from different IP addresses, making it near impossible to track where the attacks are coming from.
Famous credential stuffing attacks
Even if you haven’t heard the term credential stuffing attack before, there’s a good chance you may have heard of one being carried out:
- In 2019, Dunkin’ Donuts was the victim of two credential stuffing attacks that compromised the account details of its more than 10 million DD Perks members.
- That same year, many Disney+ customers complained of their accounts being taken over. The company itself found no information suggesting an attack, which can be a hallmark of credential stuffing - because it uses legitimate login details, all can appear as normal.
- In 2020, around 500,000 usernames and passwords were stolen from Zoom and published on the dark web and made available for purchase.
While the information you have on your Dunkin’ Donuts account may seem insignificant, if you’re using the same password for your online bank account then it can become a much larger (and more expensive) problem.
Checklist for credential stuffing prevention
So what can you do to protect against credential stuffing? Credential stuffing prevention generally involves requiring more than just a username and password to access your accounts.
It may require a little bit of extra effort, but the payoff can be protecting your personal information and widespread access to other accounts.
Here are six of the most effective techniques to protect yourself from credential stuffing attacks.
Multi-factor authentication (or MFA) is a back-up to entering your username and password. It often comes in the form of a separate app such as Duo or JumpCloud.
When you log in to your account, your MFA account will push a notification to a pre-arranged device, such as your mobile phone, to check that it’s actually you who’s attempting to get in. If it is, you can simply accept and get access, but your account will be protected if anyone else is trying to break in.
MFA is easy to set up, and many websites are starting to incorporate their own versions as a standard part of the login process.
Passwords and security questions
Like MFA, having passwords and security questions is just another layer of protection beyond your login information.
Questions such as the name of your first pet, the last four digits of your childhood telephone number, or your mother’s maiden name are common security questions that need to be answered correctly in order for someone to get into your account.
The best security questions are simple enough for the user, but the answers are hard to guess, and not available elsewhere on the internet. For example, attack bots may be able to trawl social media to find out your favorite movie, or simply guess what your favorite colour is. However, it’s not likely to be able to figure out the name of the street you grew up on.
Captcha is an anagram that stands for Completely Automated Public Turing test to tell Computers and Humans Apart. They’re becoming increasingly popular, and you likely will have seen one before.
It can come in the form of a picture grid, where you have to identify pictures that contain certain elements, such as a person or a car. It can also involve identifying a random sequence of numbers and letters.
The reason a captcha generator is effective is because it randomizes a correct response that an automated attack bot can’t guess. Users can’t set up their own captcha however, it’s something that is integrated into the host website’s login process.
IP blocking is another security measure that involves denying users from connecting to a web host. It means that website hosts can essentially turn off access to users based in a specific region, rendering them unable to even get onto the site.
Blocking IP addresses is particularly effective when you can identify suspect IP addresses that are repeatedly attempting to access your accounts. However, it doesn’t work as well when those IP addresses are being randomized or changed.
There are a few different ways to block IP addresses, but often it’s best done through a specific security program such as Kinsta.
Device fingerprinting uses the combination of your activity on one device to confirm your identity. Also known as browser fingerprinting, it’s a tracking technique that is based on your browser and device settings such as screen resolution, location, language and operating system.
This information comes together to make up your device fingerprint. It can also be used as a substitute for cookie data to allow advertisers to trace website activity and target ads to specific types of users.
Cookie data has become increasingly ineffective, meaning your activity on a specific device can now be monitored to whatever purposes the tracker has in mind. That may be as simple as tracking your activity for advertising, but the reasons could also be more nefarious.
In-depth prevention techniques
There are a handful of more elaborate protection measures you can take to protect your account information and online activity.
- Multi step logins. A multi-step login process is similar to MFA, where users need to provide two or more forms of identification. This comes in the form of answering questions. It’s different to MFA because it doesn’t require you to have another device to verify your identity.
- Block headless browsers. Headless mode is popular among software developers because it allows them to run automated tests. However, it’s also popular among hackers because it can aid the running of automated attack bots. Users can block headless browsers in their browser settings, though advanced hackers are still able to find ways around this.
- Identify leaked passwords. It’s really easy to check to see if the password to an email address has been compromised. Encourage your customers and staff to check theirs through a site like Avast Hack Check, which has detected more than 5 billion stolen passwords. If you hear of multiple customers having their details stolen, then it could be that your database is the source of the leak.
- Security notifications. Cybersecurity apps such as Dashlane now allow users to receive custom notifications when any account is compromised. You can create your own customer account with your business, set up a security notification on that account and make sure you know as soon as anything goes wrong.
Credential stuffing prevention is actually really simple, and in a time when cybersecurity risks are only increasing, businesses need to be able to secure customer data. The embarrassment of being the source of a data leak is lasting, and it can be a serious blow to any business.
Cybersecurity and protecting data online is a responsibility websites and businesses have for their account holders, but also for individuals themselves.
A proactive approach to credential stuffing prevention can mean the difference between a straightforward online experience and a whole lot of bother dealing with a data breach, notifying customers and risk losing their business permanently.