Credential stuffing attacks

Credential stuffing attacks are becoming more common, posing significant threats to internet security. In these attacks, hackers take sets of credentials that have been leaked through data breaches or other means, then attempt to use these credentials to log in to a user’s other accounts.

Credential stuffing attacks are automated and performed at scale, making the endeavor far more profitable than if anyone ever tried to do it manually.

Whenever you hear about a major data breach that includes user passwords, the victims may end up having these leaked credentials used against them in a credential stuffing attack. Usernames and their matching passwords can also be acquired through phishing, or in man-in-the-middle attacks.

Credential stuffing has a relatively high success rate because users often don’t realize that their credentials have been leaked in a breach. Even if they do, they are often slow at changing passwords or may not even bother.

When you add in the pervasive habit of using the same password for multiple accounts, a large number of internet users leave themselves open to devastating and wide-reaching attacks. At the most extreme end of the scale, credential stuffing can result in identity theft and significant financial losses, wreaking havoc in the victim’s life.

While credential stuffing is often seen in bulk attacks against internet users, it’s also a significant threat when previously exposed credentials are used to gain privileged access to an organization’s systems. Once hackers have made their way inside, they can steal data or launch other criminal campaigns.

How big is the credential stuffing threat?

Credential stuffing has become an incredibly common attack, with Akamai recording 30 billion attempts in 2018. This averages out at 115 million attempts every single day, although Akamai recorded several days where attack numbers peaked at over 250 million.

In Shape Security’s 2018 Credential Spill Report, success rates of between 0.02 percent and almost one percent were reported for sophisticated attack groups. Those who attempt credential stuffing with lesser skills and older credentials have a much lower success rate.

Despite the seemingly low rate of success, the sheer scale of credential stuffing makes it incredibly effective for hackers and devastatingly costly for users and companies. According to a 2017 report from Shape Security, credential stuffing attacks cost US businesses over $5 billion each year.

The initial data thefts that lead to credential stuffing can affect almost any organization that stores user information digitally. Over the last few years, data breaches have struck many of the biggest global brands and countless smaller businesses.

Credential stuffing attacks are seen across a variety of sectors, especially retail, video streaming, other entertainment, banking, hotels and airlines.

A 2017 Ponemon Institute report found that out of the companies involved in the survey, credential stuffing attacks occurred an average of 12.7 times each month. It found that in each of these attacks, hackers targeted an average of 1,252 user accounts.

Due to the thousands of data breaches that have occurred over the past few decades, billions of unique sets of user credentials are now floating around various parts of the internet. In all likelihood, you probably have multiple usernames and passwords combinations available to hackers.

At the start of 2019, a massive collection of credentials from prior breaches was released. Known as Collections #1-5, the first release contained an estimated 773 million unique emails and 21 million passwords while the subsequent four collections had 2.2 billion unique emails. It’s not clear whether there is an overlap between the two data dumps.

While this is the first time that so many sets of usernames and passwords have been collated, the overwhelming majority had already been leaked previously. Some of it was new, with Collection #1 containing around 10 million previously unseen passwords.

Credential stuffing vs. brute forcing

Credential stuffing has emerged as a much more practical way to break into user accounts than through brute force. In a brute force attack, hackers simply cycle through every possible password combination until they stumble on the correct one.

While it may seem arduous, lists of the most popular passwords and dictionary attacks make the process much quicker than pure trial and error. The more sophisticated a user’s password, however, the longer it will take and the more it will cost to crack it.

Users have been slowly heeding the call to make their passwords longer and more complex. While many people still use awful passwords, this slow improvement makes brute-forcing harder. Most sites also have measures in place to detect suspicious login activity, and either limit the number of guesses or block accounts after multiple failed attempts.

But hackers are a savvy bunch and have increasingly been relying on credential stuffing instead. It can be a much more effective way to expend resources than brute-forcing because even relatively short passwords can take hundreds of billions of guesses to crack if they were created appropriately.

While the success rate of credential stuffing (estimates vary, but the Shape Security report listed a success rate of one percent for its most sophisticated attackers) may seem low, it is tremendously effective when compared to brute forcing.

Credential stuffing attacks are also much harder to detect and block because they involve distributed attempts at logging in to a large number of different accounts, rather than repeated login attempts for a single account. The latter activity pattern makes brute force attacks easy to recognize and simple to block.

Where do attackers get credentials from?

Credentials can be taken through phishing, man-in-the-middle attacks and via other tactics, but the best way to acquire them in bulk is by penetrating a company’s systems and accessing its databases.

Sophisticated cybercriminal groups prowl around various organizations, looking for vulnerabilities that they can leverage to gain access. If the security is exceptionally poor, then script kiddies and lesser hackers may be able to work their way inside as well. They then seek out valuable databases and exfiltrate the data.

If passwords have been stored securely, then they will probably be worthless. But when hackers come across passwords that were stored as plaintext or used poor hashing and salting processes, they’ve struck gold.

Stolen credentials are worth the most when they are fresh. At this stage, users haven’t had a chance to change their passwords. The longer hackers can keep the theft hidden from the affected company, the longer the credentials will retain their value. This is why sophisticated groups try to act stealthily and avoid detection.

According to Shape Security, in cases where the date of compromise could be deduced (in one third of breaches, the organization was unable to determine when the compromise occurred) half of all credential thefts were discovered within four months, but because detection takes years in a minority of cases, it stretches out the average time to 15 months.

When passwords are initially stolen, the attackers and their close associates may be the first ones to take advantage of them – after all, this is the stage when the credentials are most profitable. Once they have used them, they can then try to sell them to make even more money off the attack. Alternatively, they may choose to offload the credentials straight away, either to criminal contacts, on dark web marketplaces, or through hacking forums.

The price of credentials will vary according to a number of factors. These include:

  • The age of the credentials.
  • Whether the breach has been made public.
  • Whether the credentials have been verified.
  • Whether the credentials come with a warranty – Yes, that’s right, some savvy criminal enterprises even offer a guarantee that credentials will work. If not, they will send out replacements to the buyer.
  • The seller’s reputation – If a seller is unknown, they are less likely to be trusted, so they may not be able to fetch a high price.
  • Where the credentials are being sold – private sales, hacking forums and dark web marketplaces each have their own rates.
  • The number of credentials in the package.
  • The type of account they grant access to.
  • The amount of funds available in an account (if applicable).

If credentials have already been verified, then they are ready for attackers to use (see the What happens when credentials have been verified section). Unverified credentials need to be checked first, and will sell for a much lower cost.

A fresh bank account with a lot of money in it will sell for a high price if it has been verified by a reputable seller, while a low value set of unverified credentials may go for under a cent. At the high end, credentials are selling for $190 each or more. In the lower range, a Netflix account that is guaranteed to last for a week can sell for around $0.25.

One bulk package of 3.8 billion unverified credentials was being offered for $2,999, however it’s unknown how fresh or valuable these are. Given the relatively low price per credential and the sheer number, the majority are probably quite old and would have a low success rate.

Over time, sets of credentials lose their value. The company may have discovered the breach, or enough time has passed that the overwhelming majority of users have changed their passwords. Eventually, the data may bubble up to the surface and even be accessible for free, but by this stage, the success rate will be significantly lower.

What happens when an attacker acquires unverified credentials?

An attacker may have stolen the credentials themselves, gotten them from a hacking associate, bought them on the dark web, or even acquired low-end credentials for free. Once they have them, the next step is to launch the attack. There are several different approaches that an attack can take. The best option will depend on the attacker’s skill-set, sophistication, time limit, and resources.

Building or purchasing attack software

Once credentials are on hand, attackers also need software to automate the credential stuffing attempts, as well as proxies to launch the attacks from different IP addresses. The most advanced attackers will write their own scripts to launch the attack, while others will use pre-existing software.

The advantage of creating a new script is that it is harder for the target websites to detect and block, which makes the attack more likely to be successful. It adds extra effort to the attack, but it can also pay off in the long run. Alternatively, a wannabe credential-stuffer can purchase a variety of programs to do the work for them.

The tools vary wildly. At one end, there is credential-stuffing-as-a-service, which functions a lot like any other comprehensive software-as-a-service. These checker services make the task simple, opening up credential stuffing to those without any significant technical skills.

With a checker service, all an attacker needs is a list of usernames and passwords. They submit it to the service, then pay the operator a couple of cents for each successfully validated credential.

These services tend to be site-specific and only exist for organizations that have large user bases – it’s not economically viable to build these checkers for less popular sites. Despite their lack of variability, they make credential stuffing as simple as possible, because these services also take care of the proxies.

If an attacker’s skill-set falls somewhere in between, they can purchase an online toolkit rather than develop the software themselves. These tools have their own life cycle, and when more sophisticated tools are first developed, they are often sold on high-end marketplaces at greater cost. When a tool is new, it is more likely to evade the detection mechanisms that websites use, justifying the higher price.

As tools age, their price comes down and they are introduced to the mass market. Many different tools are on offer such as: Black Bullet, Private Keeper, SENTRY, SNIPR, WOXY and STORM. Basic packages can range in price from about $5 per configuration file (Sentry MBA), to $50 to buy the software outright (Black Bullet), although more advanced options are also available.

The individual features vary between programs, but many of them have slick user interfaces, offer decent customer support, CAPTCHA bypass and Javascript anti-bot challenges.

Renting proxies

Unless an attacker is using a checker service, they will also need proxies to launch the attack. If an attacker were to attempt credential stuffing from a single IP address, they would be quickly detected and blocked. Proxies distribute the login attempts, which helps to fool the defense mechanisms that sites have in place.

Free proxies are an option, but they are slow and unlikely to work. Paid proxy servers offer another alternative, but the best choice is to go with a botnet. Botnets are generally made up of computers that have been infected with malware, poorly secured IoT devices like routers and security cameras, or servers that have been taken over. Login attempts happen through these compromised devices.

These botnets are relatively cheap to rent, and they can be easily found on hacking forums and on the dark web. The price will depend on how many hosts are included and where they are loaded, but a small botnet can be rented for less than $50.

What happens once credentials have been verified?

Once hackers have obtained their credentials and set up the verification process through either a checker service or software and a proxy botnet, they can essentially sit back and wait while the program automatically validates the accounts.

After their list of credentials has been run through, they will end up with a much smaller number of credentials that still grant access to the account. At this stage, cybercriminals have several different approaches to choose from to monetize the accounts.

The easiest option is to just sell them on in bulk, either to their criminal associates, through hacking forums or on dark web marketplaces. This involves the least amount of work, but it can also leave a lot of money on the table.

The sale price of a verified eBay account will vary, but they have been listed for around $10 before. This account could potentially yield hundreds or thousands of dollars of profit, but doing so involves more risk and effort. If an attacker is up to it, they can take advantage of their accounts themselves and maximize their profits. Otherwise, the opportunity goes to whoever buys it.

Accounts can be abused in several different ways. The best option will depend on the unique situation, the attacker’s skills, and the account type. The choices include:

  • Stealing any money that may be in the account or making fraudulent purchases with it.
  • Using the account data to commit identity theft, such as insurance fraud or signing up for credit cards.
  • Leveraging access to infiltrate a company’s systems and steal more data.
  • Using personal information to commit other crimes.

Recent credential stuffing attacks

Credential stuffing is a common type of attack that many popular brands have been caught up in. Some recent examples include:

Jason’s Deli

In December 2023, US restaurant chain, Jason’s Deli, warned its online customers that their personal data had been exposed in credential stuffing attacks. More than 340,00 customers were affected after attackers used credentials obtained from third-party sources to access Jason’s Deli reward and online accounts.

Compromised accounts included data such as customers’ names, addresses, telephone numbers, birthdays, and truncated credit card numbers. The company said that any Deli Dollars reward points that were stolen would be restored.

23andMe

In October 2023, a threat actor was able to access approximately 14,000 23andMe user accounts using login credentials stolen from other sites. Using features of these accounts that linked out to other accounts, the attacker was then able to collect personal data from millions of people.

This included information from approximately 5.5 million DNA Relatives profiles, and 1.4 million Family Tree profiles. Some of the data ended up being sold online. This included users’  names, birth dates, profile photos, location, and genetic ancestry details.

Superdrug

In 2018, the UK cosmetics retailer was contacted by hackers who claimed to have the account data for 20,000 of its customers. The hackers sought a ransom from the company, but when they handed over the details of 386 customers, the preliminary investigation led the company to believe that the credentials had been acquired through credential stuffing rather than a data breach.

It appears that the hackers had taken data from breaches of other organizations and used it to uncover the logins for a small number of Superdrug customers. Superdrug’s statement claimed that an independent assessment found no breach of their systems, and the company refused to pay a ransom to the hackers.

Superdrug informed the affected users and recommended that they change their passwords.

Uber

credential-stuffing-2

Uber logo by Uber Technologies Inc. licensed under CC0

Uber was severely punished following its deception over a data breach that occurred in 2016. The company was fined a total of $1.2 million from separate regulators in the UK and the Netherlands, although both penalties resulted from the same incident.

An investigation from the UK’s Information Commissioner’s Office (ICO) found that an attacker gained access to Uber’s data storage through credential stuffing. They used an Uber employee’s previously exposed credentials from other websites to access their GitHub account.

Once inside this account, the attacker found login details to the Amazon Web Service S3 buckets where Uber’s data was stored. This allowed them to steal data for 57 million Uber users, including both drivers and riders.

The attackers then reached out to Uber and demanded a $100,000 payment for information on how they were able to access the S3 buckets. Uber paid up, making the payment seem as though it was part of their bug bounty program, but it did not make the matter fully public.

The company didn’t end up revealing the details of the breach until about a year later, in late 2017. The hacking incident and its resulting cover-up led to Uber being punished for several different reasons – for poor security practices, for late notification, and for being deceptive about the so-called bug bounty.

HSBC

In 2018, HSBC notified some of its customers that they were victims of a data breach. The attackers stole names, account numbers, phone numbers, transaction histories, dates of birth, account balances, addresses, email address and more.

According to FastCompany, the breach affected less than one percent of the bank’s 1.4 million customers in the US. The affected parties were offered one year of credit monitoring and identity theft protection services.

The breach apparently occurred between the 4th and the 14th of October, 2018, and credential stuffing was attributed as the mode of entry. It’s likely that key employees were reusing usernames and passwords from other accounts that had previously been leaked.

The attackers could have used these details to gain privileged access to HSBC’s systems, which would in turn have made it possible to steal the data.

Reddit

At the start of 2019, Reddit locked users out of their accounts after it suspected credential stuffing attacks. Reddit’s security team noticed unusual activity from “a large group of accounts”, which it assumed was most likely caused by credential stuffing.

To prevent the accounts from being taken over, it locked the users out and forced them to reset the passwords before the accounts could be restored. Some of the affected users commented that they were using unique and strong passwords, as well as two-factor authentication.

This led to some speculation that the site may have actually experienced security issues on its own end, and was using credential stuffing as an excuse to blame users.

An alternative explanation is that Reddit may have decided to lock down and reset the passwords for any account that experienced a suspicious login attempt, rather than only for those accounts where the login attempts were successful. If this is the case, the adoption of two-factor authentication or strong and unique passwords would be irrelevant.

Daily Motion

Several weeks after Reddit’s security incident, DailyMotion users were also victims of credential stuffing. The video-streaming platform emailed a group of users to inform them that attackers may have used credential stuffing to access their accounts.

Its security team logged off users who may have been affected and sent them a link so that they could reset their passwords. DailyMotion also reported the breach to the French authorities (the site is based in France), as required under Europe’s recently enacted General Data Protection Regulation (GDPR).

Deliveroo

Customers that use Deliveroo, the food delivery service, have fallen victim to credential stuffing for years. Many of these attacks have fallen outside of Deliveroo’s control but, due to some misunderstandings, the company has received unfair criticism, as seen in an article published by New Statesman.

The article and its surrounding controversy seem to be built up around misconceptions about credential stuffing. It seems to blame Deliveroo for attacks that were actually caused by data leaked from elsewhere.

From the publicly available information, it seems that the writer of the New Statesman article fell victim to credential stuffing as a result of reusing their password from other accounts. There is no evidence that Deliveroo suffered a breach that resulted in the writer or any other party’s fraudulent purchases.

Even if a company follows all of the best security practices, there isn’t much that they can do to prevent their customers from reusing the same passwords. They can recommend unique passwords all they like, but it’s impossible for them to force users to adopt a password that is unique to that account.

While the article quotes a lawyer who says that Deliveroo may face penalties under the GDPR, these statements seem to be based on incorrect assumptions about the nature of the attack. At the time of writing, Deliveroo does not appear to be under any public investigation in relation to the credential stuffing attacks.

Basecamp

Basecamp, the project management service, also faced a large number of credential stuffing attacks at the start of the year. Its security team noticed a huge spike in login attempts, then tried to block the suspicious IP addresses in an attempt to prevent the attack.

It also enabled CAPTCHA to stem the flow, however, 124 accounts were still successfully accessed. The platform logged out those users and reset the passwords, emailing those who were affected to notify them, alongside instructions on how they could reactivate their accounts.

A more powerful attack struck the following day, however this time it only managed to access 89 accounts. Basecamp responded in the same way to protect its users. It appears that these attacks were only attempts to validate the user credentials, and the attackers don’t seem to have caused any damage to the accounts.

If Basecamp had not reacted so rapidly, the attacks could have affected a far greater number of accounts, with more serious repercussions than a simple password change for the users.

TurboTax

TurboTax account holders were also embroiled in a credential stuffing attack at the beginning of 2019. It’s not known how many TurboTax users were affected, but these attacks were particularly worrying due to the large amount of personal and financial data that was contained in the company’s records.

The parent company deactivated the affected accounts temporarily, requiring these users to call or email its customer service and verify their identities before they could reactivate their accounts. The parent company is offering the victims one year of credit monitoring, identity theft protection and identity restoration services to help protect the users.

There is no indication that these attacks are a result of a data breach. It seems that the affected customers were only vulnerable to the attack because they reused their passwords across multiple accounts. From all appearances, TurboTax seems to be going above and beyond in offering the free protection services, considering that the attacks were not caused by its own security flaws.

Dunkin’ Donuts

credential-stuffing-3

Dunkin’ Donuts box by Hao dream-case licensed under CC0

Dunkin’ Donuts reported credential stuffing attacks against its customers twice in three months. The first incident occurred at the end of 2018, while the second was in January 2019. Each incident was reported publicly about a month after the attack occurred.

The attacks were initiated with credentials taken from prior breaches, and a statement from Dunkin’ Donuts revealed that 1,200 of its 10 million users were affected. The victims were sent notifications, had their passwords reset and were reissued Dunkin’ cards. The company asserts that its systems were not breached, and that it was alerted to the credential stuffing attacks by its security vendor.

While a Dunkin’ Donuts account may not seem like the most prized possession in the hacking underworld, these accounts were actually being sold online. Criminals can monetize them by either taking the personal information, or by abusing Dunkin’ Donuts’ reward scheme.

How to minimize the risks of credential stuffing attacks

Credential stuffing attacks pose a significant threat to both regular internet users and organizations. Normal people risk having their personal data stolen, succumbing to identity theft, having fraudulent purchases racked up on their accounts or even having all of their money taken out.

Companies need to be wary of hackers using credential stuffing to gain privileged access, which can result in data breaches or other attacks. They also need to do their best to protect their customers. As was seen in the Deliveroo example from above, credential stuffing can look very bad for organizations, even if the attacks aren’t really their fault.

People are so accustomed to data breaches caused by poor organizational security, and most don’t understand the technical details of credential stuffing. This makes it easy for them to be mistaken and blame their own poor password practices on the company. Regardless of whose fault it was, businesses need to be incredibly careful with how they approach these situations.

Minimizing credential stuffing risks for individuals

Data breaches aren’t going away any time soon, and even if they did, billions of credentials have already been leaked online. Fortunately, there are several different measures you can adopt to significantly reduce the risks that you face:

Use unique passwords for each account

The most important step that users can take to protect themselves is to set unique and strong passwords for each of their accounts.

By unique, we mean more than just a single change of a letter, number or symbol. ‘Hunter1’, ‘Hunter2’, ‘Hunter3’, etc. simply won’t cut it. To protect against these and other attacks, your passwords need to be significantly different for each of your accounts, if not completely original.

There are a few different techniques to solve this and other password related issues. One of the easiest is to use a password manager like Dashlane or Sticky Password. With a password manager, all you have to remember is a single master password. This is used to unlock the application, which can be used to both generate and store unique and secure passwords for each of your accounts.

Setting up a password manager and changing all of your passwords may take some effort in the beginning, but once everything is ready, it provides excellent security against credential stuffing and other attacks.

If you insist on using the same or similar passwords for each of your accounts despite the warning, consider it only a matter of time until you fall victim to one of these attacks.

Be aware of when your data has been breached

You should also keep abreast of the latest data breaches and change passwords for any account that has been affected, as well as any other accounts that use the same password (once again, don’t do this). Following the latest data breach news is a good start, but it’s even better to visit have i been pwned. This is a database set up by Troy Hunt, a security researcher who has collected information from publicly known breaches.

The database lets you search with your email or password to see if it has been involved in a breach. You can also sign up to get an email alert if your data is involved in a newly discovered breach. If you give the website’s search function a go, the odds are that your details will come up at least once. If they do, you should change the password for the account immediately.

If you have been using this password for multiple accounts, then it needs to be changed across all of them to protect against credential stuffing. As we mentioned above, the easiest way to administer this is with a password manager.

If you have been a victim of a data breach, you may want to consider subscribing to credit monitoring and identity theft protection services. A monitoring service will notify you of any suspicious activity, while identity theft protection will insure you against losses.

Breached companies frequently offer one year of these services to their affected customers for free. If you are a victim and the company responsible is offering one of these programs, you will generally have to sign up first. It will give you added protection, but make sure to read the fine print to check what you are actually being covered for.

Otherwise, you can subscribe to one of these services yourself, although they can set you back $20 or $30 each month. Alternatively, you can monitor your own credit reports for suspicious activity.

Two-factor authentication

Another key protection measure is to use two-factor authentication wherever possible. When two-factor mechanisms are in place, hackers will need more than just your username and password to take over your account. They will also have to pass the second authentication measure.

These can include mobile apps like Google Authenticator, physical security tokens and biometric inputs. SMS and email authentication are also popular types of two-factor authentication, but they’re far less secure than the alternatives and should only be chosen if the other options aren’t available.

Two-factor authentication isn’t foolproof. Attackers can steal your security token or intercept the SMS messages, but doing so is far more difficult than accessing an account that isn’t protected by these measures.

In the overwhelming majority of cases, hackers won’t bother trying to take over your account if they run up against two-factor authentication. They will simply move on to another target with weaker defenses.

Minimizing credential stuffing risks for organizations

Organizations face two direct threats from credential stuffing. The first is that it can be used to gain access to their systems and launch further attacks. These include data breaches like in some of the examples from above, as well as ransomware attacks or the theft of intellectual property

The other major threat is that customers affected by credential stuffing may blame an organization, even if the real cause is a data breach of a third party and the customer following poor password security practices.

Even though this may not seem like an organization’s responsibility, the potential negative fallout makes it important for companies to do everything they can to try and protect customers in this situation.

Awareness and education

The pervasive habit of password reuse makes credential stuffing attacks so effective. To prevent users from using the same password again and again, organizations need to drill the dangers of password reuse and credential stuffing into their employee’s heads.

It’s not enough to just tell employees that they need strong and unique passwords. People have a tendency not to listen if they don’t understand why something is important. Tell your employees what password reuse can lead to, and give them real-world examples that show the damaging repercussions.

Your organization should also educate its employees on alternative password techniques. Instructing people not to do something without giving them other options is bound to end poorly. Instead, your company should train its employees on how to use password managers or how to follow other effective password administration practices.

It’s especially important to emphasize these risks to employees that have privileged access. Administrators and other key people have access to a wider range of your company’s systems. If their accounts get taken over by hackers, it can cause even more damage than if other accounts are accessed by hackers. That’s why these users put the company at even greater risk if they reuse passwords.

Access control

Completely eliminating password reuse is difficult, because a company can’t know whether an employee has used the same password elsewhere. While education will go a long way toward minimizing the risks of credential stuffing, it’s also important to limit any potential damage that could come from obstinate employees.

Organizations should follow the principle of least privilege. This means that staff are only given access to the systems and resources that they need to complete their work effectively, nothing more. If an employee’s role changes, then so should their access privileges. They should be given access to any new resources that they need and restricted from those that they no longer require.

If a company follows this principle carefully, it will help to limit any potential damage that an attacker can cause. If an attacker gains entry, they will have significantly reduced access compared to a company that doesn’t follow the principle. Walling in the attacker can either prevent data breaches, or make them far less damaging.

Two-factor authentication

Implementing two-factor authentication makes it significantly harder for attackers to take over an account. Refer to the Two-factor authentication section above, under Minimizing credential stuffing risks for individuals for further details.

Monitoring and quick action

Companies need to do more than just protect their internal accounts from being taken over by credential stuffing. They also need to do their best to protect and support users who fall victim to credential stuffing, even if the attack isn’t the organization’s fault. These misunderstandings can still lead to bad press, so companies have to manage these situations as carefully as possible.

Businesses need monitoring systems in place to help detect large-scale credential stuffing attacks. If they see sudden spikes in login attempts or other unusual activities, they need to attempt to block any suspicious IP addresses that they can. Implementing CAPTCHA can also help to limit these attacks.

If an organization detects any unauthorized access, it should temporarily lock the accounts and reset the passwords. It’s important to carefully explain the issue to those who were affected and make it easy for them to set up a new password and reactivate their account.

If the problem isn’t explained clearly and simply, users may end up believing that the company suffered a breach or that it wasn’t securing their account appropriately.

Detecting small-scale credential stuffing attacks can be much more difficult because they don’t cause the same spikes in account activity. If an organization has effective monitoring mechanisms in place but was unable to stop a credential stuffing attack, then it needs to be careful with how it handles the situation.

While the attack may have been caused by the customer’s own password reuse, and the company may not have had any reasonable course of action to prevent it, it’s easy for the customer to misunderstand the situation and blame the organization.

If a company wants to emerge from the situation unscathed, it may be best to offer free credit monitoring and identity theft protection to those who were affected, like TurboTax did in the example above. Otherwise they may end up facing unfair negative press, just like Deliveroo.

Organizations need comprehensive security

On top of the threats mentioned above, organizations are also vulnerable to the data breaches that make credential stuffing attacks possible in the first place. For both their own interests (data breaches can be extremely expensive) and those of global security, companies should be following security best practices to minimize the chances of suffering a major breach.

In addition to the security practices discussed above, organizations should also:

  • Hash and salt passwords appropriately – If a company stores passwords as plaintext, anyone who can access the database will be able to take over the accounts or use the passwords in credential stuffing attacks against other platforms. The secure alternative is to only store the password hash for verification. A salt (essentially a random number) needs to be added beforehand to protect against rainbow table attacks. Following these practices carefully can limit the costs of a data breach substantially – if stolen passwords were hashed, companies may not have to notify those who were affected or the authorities.
  • Train employees – Employees are one of the weakest links when it comes to organizational cybersecurity. Either through ignorance or human error, they are responsible for a significant percentage of attacks. Companies need to give their employees comprehensive cybersecurity training that is tailored towards the risks that they may introduce into the company. Anti-phishing training is one of the most important elements.
  • Update software as soon as possible – Updating doesn’t just introduce new features. Developers also use it to patch any vulnerabilities that have been discovered. Organizations that use older versions of software are essentially     leaving their doors open and inviting hackers in. The easiest solution is to enable auto-updates wherever possible, so that the latest versions are installed without any hassles.

If an organization discovers a breach, then it’s important to react swiftly and carefully. The first step is to contain the breach, then to analyze it to gain an understanding of who and what has been affected, as well as the severity.

Depending on the circumstances, companies may or may not have to report the breach. If they do, it’s important to act responsibly and do so as soon as possible. Delaying notification can lead to legal penalties, just like those that Uber was handed in the example from above.

Attempting to cover up a breach also plays right into the hands of attackers. It allows them to abuse the credentials and maximize their profits before the users are even aware that their data was involved in a breach.

If a company is serious about protecting its users and limiting the effects of a breach, then it needs to notify them as soon as possible and tell them to change their passwords. Offering credit monitoring and identity theft protection can also help to smooth things over.

It’s also important to alert them about the dangers of credential stuffing, so that they know to change the passwords for other accounts if necessary.

If breached users and businesses under attack all start to take credential stuffing seriously, they can help to minimize the threat, as well as the huge losses that it ends up causing each year.