IdentityForce LogoIdentityForce Logo
Protect What Matters Most.
hacker stealing username and password for credential stuffing attack
Posted on October 7, 2020 by in Credit Fraud & Monitoring, Identity & Privacy, Personal, Scam Alerts

What is credential stuffing?

Credential stuffing is a type of cyberattack where cybercriminals take large databases of usernames and passwords, often stolen through recent data breaches, and attempt to “stuff” the account logins into other web applications using an automated process. In a credential stuffing attack, the fraudster uses access to consumer accounts to make fraudulent purchases, conduct phishing attacks, and steal information, money, or both. Credential stuffing is especially dangerous for consumers who use the same username and password combinations for more than one account, giving a cyber thief access to all of those accounts at one swipe.

In July of 2020, multiple databases containing the stolen information of over 386 million consumers were posted online in a hacker forum — all for free. Cyberthieves stole the exposed data from eighteen companies, and although the Personally Identifiable Information (PII) in each database varies, it typically contained names, user names, email addresses, and passwords. Nowadays, hackers can decipher hashed passwords, further exposing a breach victim to account takeover and credential stuffing attacks. In the same month, the online grocery shopping service, Instacart, announced an internal investigation proved that Instacart “was not compromised or breached.” Instead, over 250,000 customers fell victim to a credential stuffing attack.

5 Signs of a Credential Stuffing Attack

  1. You are unable to access your account because the login information is incorrect.
  2. You are notified that your account has been locked due to “too many login attempts,” which you have not made.
  3. You receive an email confirmation that your password has been updated without your consent.
  4. You detect fraudulent charges made using the bank accounts linked to certain online accounts.
  5. You stop receiving email notifications for accounts because your email was changed to direct notifications to the hacker.

How does credential stuffing differ from a data breach?

A data breach often precedes a credential stuffing attack, where a hacker illegally accesses a company’s database of customer information and either uses the information maliciously in identity fraud schemes or posts the stolen data on the dark web for a profit. Once that information is purchased, cybercriminal use the breached PII and login credentials to credential stuffing attacks.

Quick Stats on Stolen Account Information

  • 15 billion stolen account credentials circulating on the dark web
  • 85% of data leaks include emails and passwords
  • 1 in 3 breach victims later become a victim of identity theft
  • 40% of all fraud activity associated with an account takeover occurs within 24 hours
  • 350% increase in active phishing sites in 2020, according to Google
  • 50,000 fake login pages for 200 global brands have been discovered in the first half of 2020, simply designed to steal account login information

What is the harm in credential stuffing?

A recent SecureAuth survey found that 53% of consumers reuse the same password for different accounts. When login credentials are exposed to hackers, even once, they can be used to access a multitude of accounts, whether it is an email account, health insurance, or online store. The criminal gains unlimited access to all the personal information, financial account details, medical information, or other sensitive data within each account. This leaves you not only vulnerable to account takeover fraud, but also credit card fraud, medical identity theft, tax fraud, and identity theft.

What do I do if I’m a victim of a credential stuffing attack?

Often, victims of credential stuffing do not recognize that their accounts have been accessed by a third-party until they review their past transactions or attempt to log into a less frequently used account. If you believe your account has been hijacked, update your password immediately and contact the company to sort out any fraudulent charges or changes made to your account information. Also, report the credit card fraud to your credit card company and place a fraud alert if you have other online accounts with your cards attached.

How can I protect myself from credential stuffing?

Updating old and duplicate passwords is the first step in protecting yourself from credential stuffing attacks. It is vital to invest in a password manager, giving you one secure location to safeguard your unique and hard-to-crack passwords. A password manager also makes it easier to update your passwords more frequently, especially after every notification that a data breach has compromised your information. Monitor your credit and account transaction history for fraudulent charges made to your account. Criminals often start by making small, hard to detect charges to test an account’s viability before escalating to more significant purchases.

Two-factor authentication (2FA) creates an extra layer of security that forces identity thieves to do more than crack a password. Two-factor authentication involves combining two of something you know (a password), something you have (a mobile device or email), or something you are (biometric identifier). Keep your accounts safe from credential stuffing by enabling 2FA everywhere it’s available. And although this additional step may feel like a hassle when you are trying to speed through some account management or online purchase, it’s worth the effort.

Get the Best Identity Theft Protection Today

If you think your information has been disclosed in a data breach or you have been victimized by a credential stuffing attack, we can help you take steps to protect what matters most. IdentityForce can help monitor your identity and credit while providing you with the latest news and information in identity theft protection. Start your FREE 30-day trial of IdentityForce today!

**Originally posted August 3, 2017. Updated October 7, 2020.**