Browse Classifications
- All Resources
- Strategic Content
- Technical Content
- Ahead of the Breach Podcast Content
- Partner Program Content
This technique is becoming very popular with the rise of data breaches.
It’s tempting to re-use the same password for multiple online accounts. Many of us have done it (it’s OK; this is a safe space). Convenient as it seems, this action puts you at high risk to get hacked via credential stuffing.
This type of attack recycles previously stolen passwords to gain access to a user’s other, unrelated accounts. People using the same password for multiple online logins fuels successful credential-stuffing attacks.
Even if you have a “strong” password, no amount of capital letters and numbers will protect you if it’s used for every account. When password reuse is discovered, it creates an all-access pass for attackers. That means they gain entry into protected accounts full of personal and private information.
The difference between a brute-force attack and credential stuffing is this: brute force attacks make repeated attempts to guess your password, while credential stuffing directly attempts to log in using known stolen credentials from publicly or privately available breaches.
For the sake of example, let’s say a user has an account on ABC.com. One day, a hacker breaches the site.
Fast-forward a couple of months. An online attacker targets a company called Acme Corp., an organization that rarely has users update their passwords. The online attacker gets their hands on a list of Acme employees. They search the ABC.com breach from a few months ago for accounts Acme employees had on ABC.com.
In this process, the hacker finds an email address associated with an ABC.com account. The hacker uses the breach to collect this email address and its associated password. Using this password – under the assumption it’s reused -- the attacker attempts to log in to the organizational email portal.
And ... queue victory music … success. The hacker successfully logs into this user’s account, because they now have valid credentials without having to brute force a login portal.
The deadly trio that allowed this hack to happen:
Beyond gaining access to multiple online logins, hackers can leverage successful credential-stuffing attacks to:
Take the following precautions to protect your users and your organization from credential-stuffing attacks.
Continuous Human & Automated Security
Continuously monitor your attack surface with advanced change detection. Upon change, testers and systems perform security testing. You are alerted and assisted in remediation efforts all contained in a single security application, the Sprocket Platform.