Hacked? Don’t Know How? It’s Called Credential Stuffing

We regularly see complaints about accounts that have been hacked. This is certainly not always the victim’s own negligence. Passwords are not always secret anymore, no matter how complex they are. How is that possible? Keep reading to understand how credential stuffing compromises your accounts.

What is Credential Stuffing?

Credential stuffing has become a serious problem over the years. In 2012 for example, hackers breached LinkedIn and dropbox. This caused a massive spike in credential stuffing victims. But what exactly is it, and how does it work?

Credential stuffing is a type of cybercrime which involves an automated process of stealing credentials through a data breach to gain access to other unrelated accounts of a user. Through the years, fraudsters have gained billions of credentials as a result of data breaches.

A whole underground economy support credentials stuffing by creating a perfect ground for the crime. The attackers abuse thousands of web pages each year, including travel websites, e-commerce, financial services, and many more companies. On Complain.biz we have seen hundreds of these cases.

Every widely known company with an online presence has been a victim of credential stuffing in the past years.

The dark web is filled with databases of peoples personally identifiable information or PII such as full name, bank account number, email address, passwords etc. A database with about 5 lac users is worth 1 thousand to 5 thousand US dollars in bitcoin.

What is Data Breach?

We have all heard about companies getting breached or a team of agents hacking into government systems to compromise military secrets. But, what exactly is a data breach, and has it ever happened with you?

It’s quite simple. A data breach is an incident where information is stolen or taken from a database without the knowledge or authorization of the database’s owner.

When it’s on purpose (Black Hat), the hackers will crack the database to be able to sell a list of usernames and passwords on the dark web. All your private data, credentials, and other sensitive information are at risk and prone to falling into the wrong hands.

Do you want to know if your credentials have fallen victim to such an incident? You can check it on Have I Been Pwned.

HIBP is a website that tracks over 8.5 billion compromised credentials from over 410 data beaches. It helps you check if your personal data has been compromised in a (known) data breach.

have i been pwned

Role of Passwords

You have been facing all the security complexity, checking boxes to prove you’re not a bot, and making passwords longer because of the extra security measures the websites are taking.

However, we have learned to respond to the password complexity by choosing a few typical passwords that fit the passwords’ criteria with upper case, lower case, and numbers. Then, we reuse the same passwords for all our accounts across the web.

Most people are guilty of setting the same passwords for there Yahoo, Gmail, and Facebook accounts. This is where we make it easier for hackers to do their job. They extract the database of one website, and they have the password to all your accounts on the web.

How Credential Stuffing Works

We have heard about hacked accounts on prominent market places like Wish, and Amazon too. When hackers hack a user’s account, they change the email, purchase items, and use the victim’s credit card to pay.

Credential Stuffing is the answer on how they manage to gain acces. The attackers have a massive list of credentials that they try to “stuff” into the log in page of different sites. The attackers use bots to automate the whole stuffing process.

Since users have the same passwords for their accounts across multiple websites, the attackers can unlock multiple accounts with one password. Besides, statistics show that approximately 0.1% of the breached credential logins into another service are likely to be successful.

The attackers might try to breach a department store and use the obtained credentials to log in to a bank site. They are hoping that the store customers have the same credentials for their bank accounts as well.

Worst thing is.. even if a password does not work for an account, it is not very difficult for them to reset it. Due to the massive amount of personal information they gained, it is easy to trick customer service agents for account recovery.

How Big is the Problem?

It is huge!  From 2017 to 2019, Akamai, a content delivery network (CDN), detected 55 billion credential stuffing attacks. Akamai found that attackers most often targeted retail sites, video-streaming services, and entertainment companies. Because the company defined a credential-stuffing attack as a log-in attempt using an e-mail address, financial firms did not show up often in the data set, as most financial firms do not allow customer to log in with an e-mail address.

Can You Stop Credential Stuffing?

Frankly, credential stuffing is challenging to defeat. Websites don’t always have a foolproof way of defending themselves, and once the hackers get hold of the credentials, they are unstoppable.

However, the main weakness in all the hacks is the same passwords across multiple sites. Even the most complete string of characters can not save your account, but that doesn’t mean you have to compromise all the other accounts.

The best way to protect your account from credential stuffing is by using different passwords for each of your online accounts. You can also avoid it by avoiding risky practices like using your credit card on suspicious sites.

Additionally, you should always keep your software updated and use security softwares such as malware blocks to reduce the risk. Also use two-factor verification wherever you can. If a web service doesn’t offer it, complain about it openly to get attention. We also advise to change your passwords once in a while. There are many password managing tools to help you with all this.

And keep in mind… If you have indeed fallen victim to credential breaching, change all your passwords right away!

0 0 vote
Justified complaint?
Notify of
Inline Feedbacks
View all comments