Get in Touch
Back to main blog page

What is credential stuffing and why should you care?

25th November 2019 | posted by David Acland

Credential stuffing, is a simple but effective technique to take over more of your online accounts using a known set of credentials.

It’s scarily simple.  The attacker takes one of your username and password combinations that has been leaked online, and tries them against a long list of other websites.  If a match is found, they add them to the list of working credentials, ready to be sold on, or used for malicious purposes.

But how do you know my username and password?

Have you ever signed up for an online service? Maybe a few forums? It’s becoming well known that companies can be extremely valuable if they can build a database of thousands, or even millions of user accounts.  The more details they can record against these accounts, the better.

So everyone is at it! It’s rare to visit a website that doesn’t offer some kind of “login or create an account” option, offering all kinds of benefits behind a curtain.

If nothing else, our FOMO gets us to sign up on some sites!

The issue, is that these sites are getting breached all the time! Their databases of usernames and passwords are being hacked and harvested and then published (or sold) on the Internet.

Of course as an attacker, having to crawl through hundreds or even thousands of username and password data dumps is a little inconvenient. Luckily, these have been lumped together in what has been branded as “collections”. The most notable being “collection #1”, that had 773 million sets of credentials (https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/).

How do they use the credentials?

The task is to test millions of sets of credentials against thousands of different websites to see if any of them successfully log in.

To get the job done quickly, the attackers will use automation scripts, leaving computers running day and night working through the lists, marking the successful matches.

Why are they doing it?

Simply put, there’s money in it. The value can range from a few £ to several hundred per item, depending on what you can do with it.

The value is based on a few factors:

  • How convincingly can they use the credentials to impersonate you?
  • What can they do with each specific set of credentials if they find a match

At the low end, maybe valued at £1-2, would be a website login that can be used to damage your reputation.

Moving up are credentials that hold richer PII (personally identifiable information) that can be used for social engineering, or have the ability to unlock other accounts. For example, if an attacker had access to your email account, they could use it to perform password resets on other services you signed up for.

Further at the top would be credentials that hold direct value. This can be things like air miles, loyalty card points, successful Fortnite accounts, virtual currency, or just plain money.

How do I protect against it?

There’s a few things you can do to protect against credential stuffing.

First off, use MFA whenever possible. Although not foolproof, it is a significant security enhancement that will make it much harder for the attacker to access your online accounts. It means that even if an attacker knows your username and password, they also need to get a continuously rotating 6-digit number from your phone or Authenticator app.

The second recommendation is to use a different password for each web service. This means that if an attacker gets one of your passwords right, it will be isolated to that one compromised web service.

Of course trying to remember hundreds of passwords may seem a little daunting. To help with this, we would recommend using a password manager. There’s a range of paid and free password manager tools like 1Password, LastPass, and Dashlane available that can generate and store randomised passwords for each individual service.

The last recommendation is to check your email address and passwords with https://haveibeenpwned.com/.  This is a free service that can let you know whether your email or passwords have shown up on leaked credential lists. This way, you’ll know if you need to change them.

Other Articles

I’m Spartacus
13th June 2018

Apple CodeSigning vulnerability A new vulnerability has been announced in the tech news this week…

Google Chrome logo
Managing Google Chrome on macOS with a Config Profile
7th April 2018

A client recently asked us set a few default Google Chrome settings for new Mac…

MacADUK 2019
18th March 2019

Update: Here’s a copy of the slides from my talk on the 26th March: Slide deck…

Multi-Factor Authentication and why it’s absolutely needed in your business!
20th August 2019

What is MFA? Multi-Factor Authentication (sometimes referred to as 2-Factor Authentication) is an enhanced security…

blog image
MacAD UK 2018 – Shields up, Captain?
21st February 2018

Update, 2018.03.30: Added link to YouTube Video Hi All, I had the pleasure of delivering…

About moof IT

moof IT are an Apple focused IT company providing a full range of services to over 150 clients including user support, device management, infrastructure and security.

Contact Info

Tel: 0203 983 4444

Email: hello@moof-it.co.uk

London: 1st Floor 20 Noel Street London W1F 8GW

Manchester: The Sharp Project, Thorp Rd, Manchester M40 5BJ

Surrey: Unit 9B, Southbridge House, Southbridge Place, Croydon CR0 4HA

Social Media