Despite the best efforts of users to adopt strong password practices, credential stuffing remains a significant cybersecurity threat. Attackers acquire lists of compromised usernames and passwords from data breaches or phishing campaigns and use software to test those credentials against various websites on a massive scale.
Typically, attackers attempt login attempts from computers infected with malware or poorly secured IoT devices such as routers or security cameras. They also often employ proxies to distribute the login attempts so they can evade detection by website defense mechanisms.
Deciphering Credential Stuffing Attacks: A Threat Analysis
What are credential-stuffing attacks? may be low risk for cybercriminals, they’re devastatingly costly for victims—including large enterprises and small businesses alike. According to a 2017 report from Shape Security, credential stuffing cost US businesses over $5 billion each year.
In many cases, successful attacks lead to account takeovers and other more sophisticated cyberattacks such as phishing or ransomware deployment. Attackers can then leverage the compromised information to infiltrate internal networks, target employees with phishing attacks and even launch an exploit kit that could be used to deploy ransomware across the organization.
To mitigate these threats, businesses must rely on a combination of technical and non-technical security measures. These include implementing strict password policies, requiring multifactor authentication (MFA) and educating employees about how to protect their accounts. Organizations should also deploy security tools to monitor and detect suspicious activity, such as a sudden spike in failed login attempts that would signal an ongoing attack.