top of page

Understanding Credential Stuffing: What It Is and How to Protect Your Data

Samuel Cork

In 2023, a corporation known as 23andMe suffered multiple credential stuffing attacks to their users. 23andMe collects genetic DNA information to match with others. The credential stuffing attack led to 5.5 million records and profiles ending up online. (Bitdefender, 2023)


One key and a bunch of locks
This image is AI generated

What Is Credential Stuffing?

Credential stuffing is a type of attack that mainly exploits users' inadequate security habits. Typically, when a user registers for a service, they input login details. It is a frequent occurrence for the same user to employ these details to register or access other platforms. For instance, registering an account on Amazon and subsequently utilizing the same email and password for an eBay account.


Users frequently manage multiple accounts, sometimes dozens or even hundreds, all with the same password. In the event of a security breach at one of these organizations, the login credentials for that specific company become compromised. Malicious actors (hackers) can exploit this situation by using the leaked credentials from the breached organization to access other platforms. Consequently, if one company is compromised, the users password could be used across multiple companies to gain unauthorized access to their accounts.





How to Protect Your Data

The most effective way to avoid falling victim to credential stuffing is by creating unique and strong passwords. Ensure that you do not reuse passwords on any website or application. The more times your login credentials are reused, the higher the risk for all your accounts.


Subsequently, applying MFA or 2FA is necessary to layer security on user accounts. Applying MFA further protects data by proving the users identity. This is typically done through authentication apps or a backup code through messages.


Many users struggle with the challenge of remembering or creating numerous unique passwords, making it hard to manage or recall them all. Fortunately, there are tools available to assist users in maintaining a robust security stance.


Using a password manager is a great way to overcome this limitation. A password manager can remember, encrypted and store passwords for use when needed. Google Chrome has a built in password manager, while apples iClouds keychain is capable of generating unique passwords as well as handling MFA.

This way the only password needed to be remembered is the one controlling the password manager.





References

Stahie, S. (2023, December 5). 23andMe Confirms Data Breach That Started as a Credential Stuffing Attack. Bitdefender. https://www.bitdefender.com/blog/hotforsecurity/23andme-confirms-data-beach-that-started-as-a-credential-stuffing-attack/

Comments


bottom of page