top of page

How to mitigate Credential Stuffing Attacks

Credential stuffing attacks are nothing new and, are in fact, one of the simplest attacks for threat actors to launch. Simple to launch, yet could have wide ramifications if an attack is successful, especially as you have no control over your customers' cyber habits. Therefore, we outline what credential stuffing could mean if your organisation were to fall victim, and what you need to be doing to protect your company, and your customers.

Credential stuffing is the name given to the type of cyber attack in which stolen account credentials - lists of usernames or email addresses and the corresponding passwords - are used to gain unauthorised access to user accounts through large-scale automated login requests.

For budding hackers it can be one of the first things that they try for the thrill of seeing that they can gain access to systems. For the more experienced bad actors, the potential for credential stuffing attack is much greater - it can provide them with more information on an individual, such as details about their finances, home life. etc. This information can be used to make purchases or spend credit in the account accessed, or to build a curated file on an individual or company that can be sold on the dark web for others to exploit.

The problem is that it doesn’t stop there. When it is found that a username/password combination works, it can then be tested in that combination across other popular consumer sites and services, to see whether the same credentials have been used elsewhere. And, as a security professional, you will know how common that is.

Individuals and companies that become the victim of credentials stuffing attacks can suffer financial and reputational damage, and the issues caused can take a long time to resolve. Companies also risk losing the confidence of customer and investors.

Mitigation doesn’t have to mean complication

There is a number of measures an individual can take to protect their personal information, such as using secure passwords, multi-factor authentication, and keeping anti-virus and other software up to date. The National Cyber Security Centre offers some great additional tips.

However, where it's not possible to rely on user cyber hygiene, for example, consumer facing website and app services, there is a whole host of security solutions available that will help make it harder for hackers to get validated credentials. Our network monitoring solutions from Nightingale and breached credentials tracking platform, Trillion, are both great places to start. Additionally, Arc validates credential pairs against known stolen username/password combinations to mitigate the risk of credential stuffing attacks.

Here are some basics that you should also consider to ensure that your systems are doing all they can to mitigate the risks:

  • You might think you know your website traffic, but do you understand your logon traffic? These are not the same thing, so learn about the patterns in your business.

  • Don’t make the mistake of thinking that employing a login tool such as Captcha is ‘job done’. You can still attempt to login multiple times on different usernames, and that is exactly what is happening during a CS attempt.

  • Monitor your failed to successful login ratio in real-time from all login requests. It might be that a 2%-3% fail rate is normal for your business. If it falls outside this range, it could constitute a credentials stuffing attack.

  • Look at employing time-series analysis to identify sudden peaks in attempted login attempts. There may be seasonal elements to this, for example the start of well promoted sale of concert tickets, or retail event, but you can plan for this, and combined with the successful login analysis it can identify a sudden attack.

  • Advanced attacks can originate from cloud infrastructure. The ranges of these providers are available online and can be used to help mitigate attacks.

If you would like to find out how you can protect your organisation and customer base against credential stuffing attacks, then Arc could be the service for you.

Instantly check your subscriber logins and signups against billions of already leaked user credentials from third party data breaches to improve B2C authentication security. Use Arc to reduce fraud attempts on your public facing applications with zero additional user friction with sub-second check and respond APIs to ensure rapid risk decisions can be made.


Commenting has been turned off.
bottom of page