I propose a challenge to everyone that reads this article. If you can answer this question with a “yes,” then you must share this article on your Linkedin and Twitter account. Do you currently use the same login credentials for more than one website?
I am expecting to get a ton of visits to this article, because I doubt that one of you can answer this question with a “no.” This brings me to the whole point of why I am writing this.
So, what is Credential Stuffing?
Credential Stuffing is the automated process of login attempts with username and password credentials. A hacker take a huge list of usernames and passwords, run them through a bot, and make high frequency attempts at logging into an account.
What happened last year?
2016 was a record year in terms of the number and size of security breaches. Organizations around the world reported over 3 billion stolen combinations of usernames and passwords. The biggest breach being the Yahoo incident of 1.5 billion, which we all probably heard about. It’s also the reason Verizon is second guessing whether to acquire Yahoo. Linked leaked 167 million accounts and Myspace had 360 million. These are just a few examples.
What’s the real risk here?
Let’s go back to my point in the beginning of this article. Many of us are using the same login credentials for many sites on the Internet. In fact, I bet a lot of us have a Yahoo account that was part of the 1.5 billion stole ones. That’s pretty scary to think about. A lot of you are probably thinking, hmmm…what accounts do I have where I’ve used the same credentials? My bank account? Retirement accounts? Shopping sites where I have my credit card saved? Maybe Netflix? You see what I mean now?
Security experts have said that credential stuffing attacks are successful about 2% of the time. That’s insanely high. They’ve also said that after analyzing the login activity of some Fortune 100 firms, in some cases over 90% of that activity was credential stuffing attempts. Can you imagine hearing that as an owner of one of those firms?
As a consumer, it is highly recommended that you have a solid rotation of many usernames and passwords. This is nothing new and we should all know this. However, most of us don’t care.
As a website owner, if your site has a login, you should be concerned. The more data breaches that take place, the more at risk every site owner becomes. When the next data breach occurs in 2017, instead of thinking “man, that sucks for them,” you should really be saying “oh crap, now I’m more at risk, what should I be doing?”
The reason credential stuffing is so dangerous is because the nature of the attack makes it very difficult to detect. Bots are not exposing vulnerabilities in the application, rather, they are using the login page the way it was meant to be used. They are mimicking human behavior, but are doing it at a higher frequency and scale. This not only puts your customers at risk, but it creates a higher load on your infrastructure and latency on those pages for real humans.
There are many things you should be doing to secure your platform, but as it relates to credential stuffing, you need a solution to identify and block malicious bots.
Leave a Reply