What to Know About Credential Stuffing and How You Can Protect Yourself

Catherine McHugh
Sep 30, 2020

Credential stuffing can result in the possible loss of customer assets and unauthorized disclosure of sensitive personal information. Photo credit: Tempura/Getty Images

Cybercrime is nothing new. In the wake of the Coronavirus outbreak, phishing scams and other types of identity fraud spiked. Now, the Securities and Exchange Commission (SEC) has issued a Risk Alert about a recent uptick in a type of cyberattack known as “credential stuffing.”

Here’s what you should know about credential stuffing and how to protect yourself from this type of cyberattack.

What is credential stuffing?

Credential stuffing is an automated attack on web-based user accounts as well as direct network login account credentials. Basically, cyberattackers use the dark web to obtain lists of usernames, email addresses and corresponding passwords from previous hacks. Then they try those logins on other sites because, admit it, many of us tend to reuse the same username and password combinations. Of course, the best practice is not to use the same credentials and to add variability to all passwords.

According to the SEC, there has been an increase in attempts by cybercrooks to use this strategy to get into people’s financial accounts. Think of all the things you can do when you log in to your accounts at financial institutions. While there are a number of defenses in place at your financial institutions themselves, if a cybercriminal logs into your account, they may have access to steal your money.

What defenses are companies employing?

Most companies continually work to detect and block credential stuffing attempts through a number of proactive actions. These include monitoring the dark web and checking to see if leaked information might be tied to their own customer’s usernames, blocking potential fraudsters from logging in and requiring stronger passwords and multifactor authentication (like getting a code texted to your phone in order to log in).

How can you protect yourself?

The key to keeping cybercriminals out of your accounts is to take a few moments to make sure you’re protecting yourself online:

Use a unique username and password for every account. We get it, there’s no way you can remember a unique username and password for all your different logins—particularly when you consider that you likely have a login for everything from your bank to your fast food chain (online ordering is a savior during COVID!).

The good news is that you don’t have to. You can keep track by using a password manager. You set these up by creating a master password (which should be long and complicated with numbers and special characters). Once you have committed that to memory, the service will do the rest. It will store credential pairs when you enter them into websites, so you will never need to manually enter them again, and it makes it easier to change your existing passwords. That way, if one of your passwords does get snagged in a data breach, the rest of your online services won’t be exposed. Most also offer a random password generator tool that you can customize. Password managers can also store things like credit card numbers and insurance information.

Set up multifactor authentication (MFA). Strong security uses something you have and something you know. That way if a criminal gets access to one of those things — say your username and password — they won’t have access to your account without the other thing.

Multifactor authentication is typically available for any sensitive account like your financial institutions or your email. It’s most commonly a unique code that’s either sent to you via text, app, phone or email. Generally, once the access is authenticated, the website can remember the device that the additional data is entered on, so you don’t have to go through this process every time you log in.

It’s a good idea to set up MFA on all your sensitive accounts, particularly at financial institutions and for your email accounts (where password reset instructions are often sent).

Add on a physical key. To make your MFA protection even stronger, you can buy a physical security key, which is a USB you can connect to your computer that will authenticate your account logins. The benefit of a physical key is that you must physically have it to get into your accounts. While nothing is foolproof, it’s tough for a cybercriminal who is used to operating behind a computer screen to get something that you have in your possession.