Do you use the same password across multiple channels? For example, your Amazon password for your Etsy account?

Do you use key identifiers as part of your email ID or password or app pin code? For example, your birthdate or pet name?

If yes, be careful. You could very easily fall prey to a credential stuffing software attack.

What is credential stuffing?

Credential stuffing is a cybersecurity breach where the hacker uses compromised credentials to force their way into your digital accounts and software. Here, your credentials are stolen from one platform/organization and used to access your accounts in another organization/account. So, for example, the hacker will use your Facebook password to check if you’ve used the same password for a banking software.

If you have ever received an email from an app alerting you to immediately change your credentials, chances are your credentials were leaked and your account breached.

Hackers use a combination of malware and bots to collect email IDs, passwords, app pin codes and other credentials from millions of people. The use of automation not only helps them reach more people but also hastens the crime. Studies show that on average, 4,800 websites a month are compromised by hackers and at least 0.1% of all credential stuffing attempts result in a successful account login. While this may look like a low success rate, the sheer number of credential stuffing attacks that take place every day make this threat particularly dangerous.

How is it different from Brute Force attacks?

You may have heard of Brute force attacks in relation to hacking. While it sounds similar to credential stuffing, it actually isn’t. Brute force attacks are just that – an attempt by the hacker to force their way into your account through relentless guesswork. The hacker does not use technology to consciously collect credentials but rather tries to hit the mark in the dark.
Brute force attacks are successful on users who keep simple passwords or use credentials that are known to others (such as birthday or baby’s name). Credential stuffing, on the other hand, is used to hack into accounts where users use complex credentials.

A few tips to protect yourself from credential stuffing

· Change your password every month.

· Keep long phrases and complicated amalgams as your passwords.

· Avoid using your email address as a password or ID on your accounts.

· Implement Multi-Factor Authentication to ensure your accounts don’t have a single point of entry/failure.

· Enable CAPTCHA tests wherever you can, since this prevents bots from accessing your accounts.

· Implement Device Fingerprinting to understand where traffic is coming from, which location, what time zone and how frequently they visit your account/website. If you notice anything suspicious, you’ll be able to share the fingerprints of the suspect visitor with the authorities for a check.

· Apply rate limits and block IPs that you feel are malicious.