Credential stuffing’s popularity rose dramatically in 2018 — in fact, Akamai recorded nearly 30 billion credential stuffing attacks in 2018 — and businesses certainly haven’t seen the last of this type of cyber attack. For example, on 24 May 2019, a credential stuffing attack enabled criminals to access up to 139 million profiles on the popular graphic design platform, Canva. So businesses that take cybersecurity seriously need to protect against credential stuffing cyber attacks.

What is credential stuffing?

A credential stuffing attack is a type of brute force cyber-attack used to gain unauthorised access to one or more user accounts. Criminals use an automated system to enter large numbers of previously breached username and password pairs into website login fields to see if any of them match existing accounts. The attacker then hijacks any accounts they’re able to log into.

In most cases, the best way to deal with credential stuffing is to prevent it from happening in the first place.

How to prevent credential stuffing?

Businesses can prevent credential stuffing attacks in two main ways: they can ensure that their staff implement personal cybersecurity measures, and implement security measures for their business.

Every individual staff member should: 
 

1. Use a unique password for every account they create on every website 
   • A password manager can make this much easier because it means users only have to remember one password (the master password for their password manager). Many password managers also automatically create strong passwords.
   • One such password management solution is Dashlane, which is included as a complimentary value-added service in Chubb’s Cyber Enterprise Risk Management (Cyber ERM) policies.
2. Use multi-factor authentication (MFA) to protect accounts wherever possible
   
   • Companies like Facebook and Google add MFA to their users’ accounts so logging in using such accounts is good security practice.
3. Refrain from using their corporate email address to sign up for websites
   
   • Using corporate email addresses attracts unnecessary attention to the organisation and makes it harder to prove whether the employee or hacker was responsible for the actions taken while an account was compromised.

Once all staff members are taking adequate security precautions, the risk of their credentials being stolen is significantly reduced. And if a set of credentials for one account is stolen, the damage will be reduced as well because it will be limited to a single account. Implementing the following proactive and reactive company cybersecurity measures will further reduce the likelihood that a business’s systems will be compromised by a credential stuffing attack.
 

1. Implement a MFA system
   • This includes requiring all employees and customers/clients to log into all company systems using MFA.
      
2. Perform an internet presence assessment to determine which corporate systems are visible from the internet. These are potential gateways to the organisation’s systems and should be monitored closely.
   
   
3. Perform security testing on all internet-connected systems including:
   • Virtual Private Networks (VPNs)
   • Office 365
   • Remote Desktops
   • Citrix
      
4. Protect all stored passwords with hashing so a data breach doesn’t reveal any actual login details.
   
   
5. Monitor for breaches including breaches where:
   • The business’/ employee’s credentials are stolen
   • Stolen credentials are used to fraudulently access the business’ accounts
      
6. Educate users about appropriate personal security measures such as using unique passwords across different websites etc.
   
   
7. Use web application firewalls that can help to monitor for attacks and identify breaches.
   
   
8. Monitor frequency of attacks
   • Systems that are attacked more often may warrant more stringent security measures
   • A sudden increase in cyber attacks on a given system may indicate there has been a breach somewhere
      
9. Develop an incident response plan and rehearse it frequently to ensure that all stakeholders are familiar with their roles and responsibilities in a breach.

These 12 tips were first shared during Chubb’s ‘Credential Stuffing Debunked’ webinar, by guest speaker, Jeremy du Bruyn, Practice Manager at Sense of Security Pty Ltd.