Credential stuffing is a kind of attack in which the attackers acquire credentials through privacy breaches to gain unauthorised access to the victim’s accounts or devices.
The credentials are usually obtained through a few ways, some attackers use social engineering scams, others comb through databases of compromised credentials while the rest just purchase credentials on the dark web.
When the attackers obtain the credentials, they can test them on random accounts. If they are successful and access a victim or victims, they can decide to steal the target’s sensitive information or hold them for ransom.
How does a credential-stuffing attack occur?
- When a service or a site you frequently use is the target of a cyberattack, sensitive user data can also get leaked.
- When an attacker acquires leaked credentials from a database and attempts to access popular platforms such as Twitter, Instagram, and Gmail.
- When users repeat passwords across different websites, all a hacker needs to do is get their hands on one password and they can compromise all your accounts and devices.
Ways to block credential stuffing
- Password updates: Use hard-to-guess passwords and regularly change them, especially on accounts and devices with sensitive data you wish to keep private.
- Create multi-factor authentication: With multi-factor authentication, hackers will be unable to access your account even with your password.
- Monitor cybersecurity news: Major breaches will make the news, so it is best to stay informed to protect yourself from experiencing the same thing.