Credential stuffing is a type of cyber-attack where hackers take combinations of usernames and passwords leaked from other sites and use them to gain access to accounts on another site. F5 states that there’s typically a 1 to 2 percent success rate, which means that if a cybercriminal purchases 1 million stolen credential records (for sale on the dark web for fractions of a cent each), they can generally gain access to 10,000 to 20,000 accounts.
In a recent Ponemon Institute survey, respondents cited that these attacks cause costly application downtime, loss of customers and involvement of IT security that can result in an average cost of $1.7 million, $2.7 million and $1.6 million annually, respectively.
In addition, the companies represented in this research estimate that the monetary cost of fraud due to credential stuffing attacks can range from an average of more than $500,000 if 1 percent of all compromised accounts result in monetary loss to more than $54 million if 100 percent of all compromised accounts result in monetary loss.
Password reuse. According to Keeper Security, as many as 87 percent of people reuse the same password across multiple accounts. And while they may not share passwords with others, they use them across multiple websites, making it easy for cyber-criminals to break into the various accounts with the same password. In addition, Ponemon also states that companies are vulnerable to credential stuffing attacks because:
- It’s difficult to differentiate the criminal from the real customers, employees and users who have access to the companies’ websites.
- Migration to the cloud is an important IT strategy, but it increases the risk of credential stuffing attacks.
- Companies do not have sufficient solutions or technologies today for preventing and/or containing credential stuffing attacks.
How Can Companies Prevent/Mitigate Credential Stuffing Attacks?
Companies who wish to prevent credential stuffing attack must take a layered security approach.
- Web Application Firewall - Your First Line of Defense
A robust web application firewall (WAF) is the first line of defense against credential stuffing attacks. A WAF can provide advanced bot detection and prevention. By analyzing behavior, such as IP location, time of day, and connection attempts per second, a WAF can help you identify non-browser login attempts.
- Embrace Multi-Factor Authentication
Multi-Factor Authentication works to thwart credential stuffing by requiring additional information or credentials from the user to gain access to corporate data. MFA doesn’t stop all types of attacks, and it doesn’t guarantee security, but it does add additional layers of authentication that make cyberattacks more difficult.
- Educate Your Employees
Empower your users with some password management best practices. According to F5, the most significant takeaway for your employees is that no one should ever use network login credentials on any third-party site, because if that site is compromised, then cybercriminals will have access to your corporate network and any applications within.
Don’t Go At It Alone
OneNeck’s offers extensive cybersecurity expertise. We identify the gaps and provide remediation guidance, and a roadmap to face the future with confidence. In today's accelerated world, you need a partner that helps keep you safe — so you can stop wondering if everything's alright.