In November 2019, over 2000 users of NordVPN, a service offering Virtual Private Networks (VPNs,) saw their accounts being compromised. It was an example of credential stuffing, a type of cyberattack that takes advantage of human frailty regarding passwords to take over accounts.
Credential stuffing may seem similar to data breaches and brute force attacks but there are various points of difference. In the case of a data breach, much of the data that is stolen from an organization comprises user names and passwords. The people who steal this data often sell it on the dark web for inordinate amounts of money.
The weakest link is weak passwords
Attackers obtain these credentials from different sources and take advantage of the fact that most individuals do not change their user names or passwords across websites. In fact, most people use the same (credentials) almost on every website.
Hackers use automated credential stuffing software to stuff websites using these credentials. The rate of success is extremely low (0.1-0.2%) but when an attacker has access to more than a billion credentials, even such a low rate of success can enable them to get successful matches for 1,000 accounts.
The rest is easy and also scary to guess – once inside these accounts, attackers can use them at their disposal. They can do unauthorized transactions, send malware to other accounts and basically create havoc. Credential stuffing attacks are getting more and more prevalent – big names like Nest, Uber, Superdrug and even Dunkin’ Donuts have recently had to deal with credential stuffing attacks.
The importance of maintaining strong credentials
Preventing credential stuffing attacks is only possible by following an age-old cybersecurity strategy: strong passwords. Enterprises at risk of credential stuffing attacks need to keep on reiterating the importance of maintaining strong passwords along with other good cybersecurity habits to all their employees and partners across the supply chain.
Some of the key messages that need to be reinforced are:
Don’t use the same credentials across different websites
Employees don’t like remembering passwords so they create one strong password and use it everywhere. It’s a big no-no and as credential stuffing attacks demonstrate, if attacks can gain access to a password through one site, it’s quite probable that they’ll be able to gain access to all other services you use (including financial information).
Enforce and popularize multi-factor authentication
Multi-factor authentication is the best defence against credential stuffing attacks. With an additional layer of security being provided and users required to put in a mandatory validation every time, it helps reduce the dependency on passwords. While it may be difficult for enterprises to implement an organization-wide multi-factor authentication policy, it should be used in as many places as possible.
Train employees to use strong, complex passwords
Security is a habit, rather than a process. Enterprises need to ensure they have a cybersecurity first mindset and the way to cultivate that is by continuously training and reminding employees about the importance of creating strong, dynamic passwords. This should be done at an onboarding stage and continuously in the employee lifecycle.
Blacklist suspicious IPs
Security teams should always be scanning the data and identify where threats to their enterprises originate from. It’s a good practice to blacklist any suspicious IPs that keep cropping up regularly to lessen the chances of a cyberattack.
Seqrite Endpoint Security helps enterprises prevent credential stuffing and other dangerous cyberattacks through its top-of-the-line protection solutions, integrating advanced technologies like Anti Ransomware, Advanced DNA Scan and Behavioral Detection System.