How to Prevent Credential Stuffing Attacks

Online, terms like data breaches, brute force attacks and cybersecurity are part of our everyday vocabulary. Credential stuffing is a term that may be less common outside the cybersecurity community.
Data breaches that are well-publicized quickly make the top news, highlighting the scale and extent of a successful cyberattack. After the big news stories are over, the news cycle doesn’t cover the story about the data stolen and how it is sometimes used.
There is a good chance that you or someone you know has been the victim of a data breach. Login credentials are one of the most popular data sets that can be stolen. Credential stuffing can cause serious damage if hackers get this information.
What is Credential Stuffing?
Imagine that you have been notified that your data was compromised. You are often given information about what happened, and then you are instructed to change your username or password. Sometimes, you are even promised that you will do better. It is becoming more common for stolen account login credentials to be used to login to many other websites and applications.
Credential stuffing is the act of a bad actor using stolen login credentials to gain access to your account. Credential stuffing is the act of stealing account information and trying to automate large-scale login requests across multiple web sites or web apps.
Credential stuffing sounds harmless until you think about the consequences and the scale of these attacks. Cybersecurity attacks and data breaches often expose large amounts of data in alarming numbers. Credential stuffing can have a huge impact on the number of stolen data.
Credential stuffing success rates vary, and can range from less than 1% to 3%. Credential stuffing might seem futile because of such low success rates. For example, a 0.1% success rate for one million attempts would yield 1000 accounts that have been compromised and personal data potentially stolen.
Credential stuffing is a growing cybersecurity risk due to the sheer number of login attempts and the amount of web applications that use account information. The stolen login credential can be used to inject data into web login forms across hundreds, if not thousands of websites and applications in order to match your account. They will literally insert your credentials into as many websites and applications as possible in an attempt to make a successful attempt.
If a bad actor has a valid login credentials, they can steal your personal information (including birthdates, credit card numbers, and possibly social security numbers). They can make purchases and even change your login information, locking your account out. They may even sell your login information or data to other criminal entities, often ending up on the dark web or black market.
In 2016, Uber, the world’s leader in ride-sharing, was hit hard by credential stuffing. Stolen login credentials from Uber employees were used to access a private GitHub repository by Uber application developers. Despite knowing better, developers used the same passwords and email addresses from other sites. They also did not enable multi-factor authentication, even though it was available, which allowed hackers to access the GitHub repository.
Hackers were able to access the repository’s credentials, giving them access to personal information and data of 32 million Uber members and 3.7million international drivers.
Another example is a data breach on a third-party racing website that allowed ha