Credential Stuffing Attacks Are On the Rise

Posted by
Dec 01, 2020
Reviewed by
Jan 16, 2024
min. read
Table of Contents

One of the most common pieces of advice about online security is to change your passwords on a regular basis. As it turns out, this common sense approach is more important than ever. Federal agencies and cybersecurity experts have all issued recent warnings about an escalation in so-called credential stuffing attacks.

Last week, VPNMentor issued an incident report about the targeting of user accounts on the Spotify music streaming platform. The attacks potentially exposed the accounts of up to 350,000 members.

The Securities and Exchange Commission also issued a recent risk alert highlighting an escalation in credential stuffing attacks against investment advisors and brokers. To further underscore the threat, the Federal Bureau of Investigation issued its own Private Industry Notification for financial institutions.

How Credential Stuffing Works

Credential stuffing is a hacking technique that employee automated tools and botnets to attempt user authentication across multiple online platforms using credentials stolen in data breaches. The process takes advantage of the fact that many people tend to use the same login credentials for several of their user accounts.

The process is similar to brute force hacking, in which attackers can successfully guess a common or particularly weak password. But credential stuffing works far more effectively. It relies on access to even strong passwords that are being reused. Then automation makes the process of testing other accounts much more efficient.

For example, attackers can carry out attacks on a massive scale by using automated bots that fabricate IP addresses. This allows for simultaneous authentication attempts across multiple platforms. It also allows attackers to avoid security protocols that block access when an IP address has too many failed login attempts.

How Big Is the Threat?

Hackers regularly trade in stolen billions of stolen credentials. This stolen data is the fuel for credential stuffing attacks. In one study, cybersecurity analysts at Akamai detected 55 billion credential stuffing attacks over a 17-month period between November 2017 and March 2019.

The study found that certain industries were more likely to be targeted than others. The financial sector, retail, media streaming and gaming industries were heavily targeted. But the report concluded that no industry was safe from potential attack. Hackers have even exploited customer loyalty programs.

Warning Signs of an Attack

Given the prevalence of stolen data circulating freely online, it’s increasingly likely that companies large and small will experience an attack. Here are some guidelines that cybersecurity experts say can help you spot an attack:

  • Pay attention to multiple login attempts on multiple accounts
  • Take note of any jump in site traffic as well as recorded downtime caused by it
  • Analyze use cases when you see higher than normal login failure rates

Common Sense Steps to Protect Your Accounts

Keeping yourself safe from cyberattacks can be daunting. So much of our personal information exists in digital form. And malicious actors seem to get better each year at finding and stealing it for their own gain. But here are some practical steps to limit your exposure.

  • Don’t duplicate credentials: Never use the same credentials for multiple accounts. Credential stuffers are banking on the fact that you will. So make sure you disappoint them.
  • Set a strong password: Don’t use anything obvious. If necessary, use a password manager program that allows you to easily store even the most complex credentials with the fear of forgetting them.
  • Change your passwords regularly: Data breaches happen quite regularly. And you might not hear about the possible exposure of your credentials. Regularly changing passwords can be a good preventative measure.
  • Use multi-factor authentication: Make sure that you add this extra layer of protection to all accounts that have the capacity for it.

As new data security threats evolve, technological solutions need to keep up. At SecureData, we pride ourselves on providing industry-leading strategies to keep your information safe from those who try to exploit it.

Our SecureDrive and SecureUSB hardware encrypted storage devices feature DriveSecurity® antivirus software powered by ESET, FIPS 140-2 Level 3 Validation, hack-proof interior design, and remote management capabilities to protect against data breaches if they are lost or stolen.

Data Privacy

Discover our secure data Solutions

Data Recovery Services

From single external hard drives, SSD’s, mobile devices to enterprise NAS, SAN, and RAID failures, we are ready to help recover from digital disasters, anywhere.

Request Help
Philip Bader

After more than a decade in Southeast Asia as a reporter and editor for magazines, newspapers, and online media organizations, Philip Bader now serves as a freelance content writer for Secure Data Recovery Services. He writes blogs and web content about data storage technology, trends in enterprise data recovery, and emerging data storage technology.

© 2024 SecureData Corporation or its affiliates. All rights reserved.