Stuffing is back on the menu! Okta, a leader in secure access and identity management and authentication, recently identified a significant increase in credential stuffing attacks. 

Credential stuffing involves attackers leveraging stolen usernames and passwords (often from previous data breaches) to gain unauthorised access to accounts on other platforms.  It’s a numbers game – attackers know that a significant portion of users reuse login credentials across multiple sites, and automation makes it frighteningly efficient.

Google Cloud’s 2023 Threat Horizons Report found that 86% of breaches involve stolen credentials and a separate Google survey found that at least 65% of people reuse passwords across multiple, if not all, sites. Scary.

Why the resurgence?

There are a few factors at play. Firstly, the dark web provides attackers with a huge marketplace for stolen credentials.  Secondly, the increasing sophistication of credential-stuffing tools makes it easier than ever for even less technical attackers to launch these attacks.

So, what can we do?

Here are some basic but key strategies to consider:

• Multi-Factor Authentication is the hero we need and deserve. MFA goes beyond just usernames and passwords, adding an extra layer of security by requiring a secondary verification step – a code from an authenticator app, a fingerprint scan, etc. Studies by Microsoft have shown that MFA can block over 99% of automated attacks, making it a critical defence mechanism.
• Enforce strong password policies. Minimum password length requirements, a combination of uppercase and lowercase letters, numbers, and symbols – we all know the drill. But it’s worth reiterating: complex, unique passwords for every single account are essential.
• Implement password breach monitoring. Several reputable services can monitor the dark web for compromised credentials associated with your users’ emails. Early detection allows for swift action, such as password reset prompts.
• Security awareness training for users. Educating users about credential stuffing and phishing tactics empowers them to be the first line of defence.

For the Techies:

You could also consider implementing:

• Rate limiting on login attempts. This thwarts automated attacks by restricting the number of login attempts within a specific timeframe.
• Risk-based authentication. This approach dynamically assesses the risk of a login attempt based on factors like IP address, device type, and login history. Higher-risk attempts can trigger additional verification steps.
• Bot detection and mitigation solutions. These tools can identify and block automated bots attempting credential stuffing attacks.

A successful credential stuffing attack can lead to identity theft, financial loss, and even data breaches for your personal information.

Employing a multi-layered approach, can significantly reduce the risk of falling victim to a credential stuffing attack. But remember, even the most secure system in the world is only as strong as its weakest link – and that link is often us, the users...