What is Credential Stuffing?

Credential stuffing is one of the most used attacks adversaries rely upon to establish a beachhead in their victim’s networks. Attackers gather usernames and passwords from multiple breaches, merging them into a unified list to use against their victims. 

It’s a well-known fact that employees frequently reuse their passwords, with an average of 13 times reported by LastPass in their The 3rd Annual Global Password Security Report

Attackers can either grab public breaches or buy lists of stolen credentials on the dark web and merge them using the technique above. In many cases they will have multiple passwords for a single user, then they can target all the main sites they want to breach, using those same credentials. 

With many services delivered these days as software as a service (SaaS) capability directly from the vendor over the Internet, credential stuffing is fast becoming one of the most common methods used to compromise a user. The root cause is the use of passwords and especially since users have so many to remember, they often reuse what they believe to be strong passwords across many sites. 

There are ways to address credential stuffing, and to reduce the likelihood of an attack being successful, using a combination of technology controls and education. Single sign-on (SSO) for example is a method architects can use to introduce solutions where users have less passwords to remember. If every application in your business is integrated into an SSO solution, then users can use one password to sign on, and that authentication solution serves to reauthenticate them for every service they access, whether it is on premise or in the cloud. 

Multifactor authentication (MFA) also works to reduce the likelihood that credential stuff can be used against your business. Even if the user’s username and password combination is stolen and it’s the same as the one used to access your business systems, the user can rest assured that the multiple factors of authentication in the access chain prevents the criminals from getting in. 

If you find your business or personal accounts in one of these lists, it doesn’t mean the service itself was breached. Instead, you should assess your password practices and try to enforce one of the aforementioned solutions, as well as encourage the use of unique passwords where possible. 

Furthermore, if a password does appear in a breach, it’s advised to boot all active users logged in with that credential off your systems and force a password change. 

For more information on credential stuffing, or any of the above mitigation strategies, including how security awareness training can assist with your security culture, contact Sekuro today to talk to an expert.

Scroll to Top