What is Credential Stuffing?

How data breaches affect you, your family, and your friends.

Credential stuffing, put simply, is when an attacker tries to log in to an online account with a username and password that come from some other service. The magnitude of this seemingly old problem has grown dramatically because of three distinct reasons.

  1. People frequently reuse passwords.
  2. Companies are being breached at staggering rates leading to enormous credential spills.
  3. Globally distributed infrastructure is cheaper and easier to use than ever.

More than 80% of users reuse passwords and 2017’s breaches alone offered up billions of usernames and passwords in credential spills. With such high numbers it is all but guaranteed that you’d be able to find some combinations that are valid on many popular sites. Combine all of this with fantastically cheap cloud solutions and thousands of insecure IoT devices available for botnets, you get the makings of a genuine global threat to individuals and companies alike.

All the downstream fraud can look different from person to person, company to company, it’s easy to not clearly see there is a root cause other than “criminals are bad.” Walking the fraud back to the breach is how you can fill in the gaps and can start to protect yourself from being vulnerable at the different stages.

The path from a data breach to real world pain
“But I have strong, unique passwords for my important accounts”

Criminals are creative and can find a way to use anything for financial gain. It all boils down to the fact that every account you have created has some value stored in it, even if it is not tied to any credit cards or bank accounts. For some accounts it might be just that there’s a bit more data that can be added to an attacker’s database and used later. At the least, every account has some amount of trust stored up in it, this is especially true for services like forums, gaming, and social media. People trust you on those sites and you trust others. This shared trust enables people to be taken advantage of, socially engineered, or phished much more easily.

How do I protect myself?

If your password hygiene has been questionable up to this point, it’s time to probably start changing passwords. Invest in a good password manager — I use 1Password and have had good experiences with it. Enable multi-factor authentication wherever possible.

Check Troy Hunt’s www.haveibeenpwned.com to see where you already may have been breached just to get an idea of what’s is definitively out there. This is certainly not exhaustive, please don’t mistakenly believe you are in the clear if nothing pops up. Not all breaches are discovered and those that are get reported a whopping 15 months after the incident on average.

There’s a lot more on this topic, follow this account (Jarrod Overson) to get notified of new posts on the topic in the future.

How do I help others?

The least technical are the most vulnerable

So you use a password manager, have unique passwords everywhere, and have multi-factor authentication turned on every where you can. Does your father? Your sister? Your best friend? Your coworker? Everyone is vulnerable and the people who know the least about the problem are more likely to be the most damaged by it. Credential stuffing is not a well recognized threat even in technical circles. When public awareness of threats is low then everyone is more vulnerable. It’s up to us to talk about it with our family, peers, and coworkers.

Help others with their password hygiene

Help them get set up with a password manager, install it on their computers and show them how to use it. Do you remember getting your friends and family set up with Firefox and then Chrome? This is how you help them now.

Teach people about multi-factor authentication and why it’s important. Print out their backup codes for them and store them in a folder. Go over password patterns (described at the bottom of this post) as a fallback if this is just too much for them to deal with at the moment.

Minimize the damage of account takeovers

Educate others on the signs of an account takeover like unexpected emails from a service alerting the user that an address or email has been changed. Let them know what should be done in a situation where they fear they are in the midst of a takeover and offer to be on call to guide them through. This topic is worthy of a post on its own so, again, please follow me here or on twitter at @jsoverson if you are interested in follow up posts.

Have you ever been a victim of an account takeover?

Please reach out to me with your story via email or twitter! Threats like these resonate much more strongly when there are stories about real world incidents and I would love to write about them. I have my own that I will certainly be following up with.

Good luck, stay safe, and please feel free to message me with questions.