Credential stuffing is a method what cyber criminals use to break into online user accounts. It is done through utilizing previously stolen user credentials (passwords and usernames). With credential stuffing, hackers use the stolen data in big masses to break into other user accounts across the internet. When successful, credential stuffing can lead to account takeover. It can also lead to online identity theft, when criminals get their hands on personal information stored on online accounts.
Credential stuffing is what hackers do with stolen login credentials
Credential stuffing can only be done when criminals have successfully stolen login credentials from web services, companies, or organizations. Criminals can either steal the credentials themselves in data breaches or data leaks, or buy them from dark web marketplaces. After criminals have acquired the credentials, they start the process called credential stuffing.
They fill the stolen user credentials in masses to other web services to see if they can access them with the same login credentials. They do this with the help of special programs, which speeds up the process significantly. Criminals can do this to as many sites they want but are usually targeting services that include payment information.
As Olli Bliss, cyber security expert from F-Secure explains, “Think of it as taking millions and millions of keys and trying to unlock doors. And these doors are sites and services we use every single day. It could be your Instagram account; it could be your Facebook account, or it could be your login to PayPal. So, cyber criminals are basically just trying to see which combination will unlock these services.”
This is possible because people reuse passwords
What makes credential stuffing possible is that people use the same passwords on multiple accounts. Credential stuffing is basically just testing if the stolen login credentials can be used on other online accounts. If the login credentials are different compared to the stolen ones, hackers can’t get in. At least by utilizing credential stuffing techniques.
It’s a well-known fact that most people reuse their passwords. And sure, it’s easy and convenient. But by doing so, web users make themselves an easy target for credential stuffing attacks. Because web users can’t prevent their login credentials from being exposed in data breaches and data leaks, their protection lies in securing their online user accounts.
Here’s how you can secure your online accounts
Use unique and strong passwords
Using the same or few passwords everywhere endangers all your user accounts when your password gets compromised. Web criminals are well-aware that most people reuse their passwords. When they successfully steal one, they will try it on many user accounts. When you use unique passwords, they can’t access your other accounts with just one stolen password. You can find more on this topic from this blog post. Store your passwords in a password manager for easy access and easier remembering.
Use 2-factor authentication
2-factor authentication is a second barrier in addition to your password that protects your user account. It makes it a lot harder for criminals to use stolen user credentials. Read more about 2-factor authentication and how you can enable it from this blog post.
Get F-Secure ID PROTECTION password manager
F-Secure ID PROTECTION is a handy password manager. You can store and create unique and strong passwords and access them from any device. You can also use it to autofill your passwords when needed. Not only that, ID PROTECTION monitors your personal information online. When a service you use gets breached or a data leak is detected, you will receive an alert with expert guidance on what to do next.