What Is Credential Stuffing? (and How to Protect Yourself)

A silhouette of a padlock in front of a Zoom logo.Ink Drop / Shutterstock.com

A total of 500 million Zoom accounts are for sale on the dark web through “stuffing of credentials”. It is a common way for criminals to break into online accounts. Here’s what that term actually means and how you can protect yourself.

It starts with leaked password databases

Attacks on online services are common. Criminals often exploit system security vulnerabilities to acquire databases of user names and passwords. Stolen login credentials databases are often sold online on the dark web, with criminals who pay Bitcoin for the privilege of accessing the database.

Let’s say you had an account on the Avast forum, which was raped in 2014. This account has been hacked and criminals can have your username and password on the Avast forum. Avast contacted you and made you change your forum password, so what’s the problem?

Unfortunately, the problem is that many people reuse the same passwords on different websites. Suppose your login information for the Avast forum was “you@example.com” and “AmazingPassword”. If you log into other websites with the same username (your email address) and password, any criminal who acquires your leaked passwords can access these other accounts.

RELATED: What is the Dark Web?

Potting credentials in action

“Credding credentials” involves using these disclosed connection details databases and attempting to connect with them on other online services.

Criminals take large databases of leaked username and password combinations – often millions of login credentials – and try to connect with them on other websites. Some people re-use the same password on multiple websites, so some will match. This can usually be automated with software, quickly trying out many connection combinations.

For something so dangerous that seems so technical, that’s it: try credentials already leaked on other services and see what works. In other words, “hackers” fill in all of this login information in the login form and see what is going on. Some of them are sure to work.

It is one of the most Common Means Used By Attackers To Hack Online Accounts these days. In 2018 alone, the content delivery network Akamai recorded almost 30 billion attacks of credentials jamming.

RELATED: How attackers “hack” online accounts and how to protect themselves

How to protect yourself

Several keys next to an open padlock.Ruslan Grumble / Shutterstock.com

Protecting yourself against credentials jamming is fairly straightforward and involves following the same password security practices that security experts have recommended for years. There is no magic solution, just good password hygiene. Here are the tips:

Avoid re-using passwords: Use a unique password for each account you use online. That way, even if your password leaks, it can’t be used to log in to other websites. Attackers may try to stuff your credentials into other login forms, but they will not work.
Use a password manager: Remembering strong unique passwords is an almost impossible task if you have accounts on multiple websites, and almost everyone has them. We recommend using a password manager as 1Password (paid) or Bitwarden (free and open-source) to remember your passwords for you. It can even generate these strong passwords from scratch.
Enable two-factor authentication: With two-step authentication, there’s something else you need to provide Рlike a code generated by an app or sent by text Рevery time you log on to a website. Even if an attacker has your username and password, he will not be able to log into your account if he does not have this code.
Get leaked password notifications: With service like Have I been put on hold?, you can receive notification when your credentials appear in a leak.

RELATED: How to check if your password has been stolen

How services can protect themselves from credential jamming

While individuals must take responsibility for securing their accounts, there are many ways for online services to protect themselves from attacks of credential jamming.

Analyze leaked databases for user passwords: Facebook and Netflix scanned databases leaked for passwords, sending them back to login information on their own services. In case of correspondence, Facebook or Netflix can invite their own user to change their password. It is a way of beating identification hangmen with a punch.
Offer two-factor authentication: Users must be able to enable two-factor authentication to secure their online accounts. Particularly sensitive services can make this mandatory. They can also ask a user to click a connection verification link in an email to confirm the connection request.
Require a CAPTCHA: If a connection attempt seems strange to you, a service may require entering a CAPTCHA code displayed in an image or clicking on another form to verify that a human – and not a bot – is trying to connect.
Limit repeated connection attempts: Services should try to prevent robots from attempting a large number of connection attempts in a short period of time. Modern sophisticated bots can attempt to connect from multiple IP addresses at once to hide their attempts to stuff credentials.

Bad password practices – and, to be fair, poorly secure online systems that are often too easy to compromise – make credential stuffing a serious threat to the security of online accounts. It is not surprising many tech companies want to build a more secure world without passwords.

RELATED: The tech industry wants to kill the password. Where is it?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.