InfoSec / Cyber

Types of Cyber Attacks - Credential Stuffing

Types of Cyber Attacks - Credential Stuffing

This article is linked to a series of articles about different types of Cyber Attacks. They can be viewed in the Information/Cyber Security News section of the Data Protection Education website or as part of the Information & Cyber Security Best Practice Area. Each article discusses a different type of cyber attack, steps to try to minimise the risk and guidance

Credential stuffing takes advantage of people reusing username and password combinations across different accounts.  

Attackers fraudulently obtain valid combinations for one site and then use them across other sites to try and gain access to accounts.  Any website that requires an online login is potentially vulnerable.  

Many people re-use the same username/email password combination, when those credentials are exposed (by a database breach or phishing attack) submitting those sets of stolen credentials into many sites can allow an attacker to compromise those accounts too.

Credential stuffing is a type of brute force attack.  Brute forcing will try multiple passwords against one or many accounts, guessing passwords.  Credential stuffing will use specifically breached username/password pairs against other websites.  It is one of the most common techniques to access user accounts because it is easy for the hacker to do and does not require any specialist skills.

Steps of an Attack

  1. The attacker acquires usernames and passwords from a website breach, phishing attack or password dump site.
  2. The attacker uses automated tools to test the stolen credentials against many websites (for instance, social media sites, online marketplaces or web apps).
  3. If the login is successful, the attacker knows they have a set of valid credentials.

Now the attacker knows they have access to an account. Potential next steps include:

  1. Draining stolen accounts of stored value or making purchases.
  2. Accessing sensitive information such as credit card numbers, private messages, pictures, or documents.
  3. Using the account to send phishing messages or spam.
  4. Selling known-valid credentials to one or more of the compromised sites for other attackers to use.

A most recent credential stuffing attack reported by Computing on PayPayl account users:

PayPal has reset passwords on all impacted accounts

Defence against Credential Stuffing

  1. Use multi-factor authentication
  2. Use secondary passwords, PINS and security questions
  3. Use CAPTCHA
  4. IP Address block listing
  5. Biometrics
  6. Check against leaked passwords using the site: haveibeenpawned
  7. Notify staff about unusual security events 

What to do in an attack:

If you are a victim of a ransomware attack we would recommend reporting this to Action Fraud: as well as your data protection officer so they can advise about the data loss.  Most cyber crimes like these will also need to be reported to the ICO by your data protection officer.

Remember – ‘Hackers don’t break in they login’!