One of the core tenants of cybersecurity best practices from CISA is to use strong passwords. Yet so many of us still are terrible at our password security with 51% of us using the same password for our work and personal accounts. At least 24% of us use eight very easy to guess passwords like “admin” or “abc123” and year after year, 12345 tops the list of the worst passwords in use.
Other important facts are that 64% of us don’t know and haven’t checked to see if our information, including passwords, has been stolen and the same number of American consumers don’t know what to do if their information is indeed stolen.
Credential Stuffing Attacks
All of these factors has resulted in a perfect storm for threat actors to employ something known as credential stuffing attacks. A credential stuffing attack is when a threat actor takes compromised credentials (user/password) stolen from one place and then uses it to gain access to another application/website.
An example would be, you are using the same password for your email account and an online store. Your email provider has a data breach that includes your username and password. Now a threat actor can gain access to your online store account because it uses the same username/password combination.
There have been several instances of credential stuffing attacks over the past few years on major websites. While threat actors are gaining access to accounts of particular companies, often the finger is pointed to the company when it was actually the poor security practices of the customer that resulted in access. In 2019, Ring[.]com implemented two-factor authentication (2FA) requirements after its platform was hit by a credential stuffing attack that gave threat actors access to camera systems where credentials had been compromised and 2FA not enabled.
In 2020, music streaming platform Spotify had more than 300,000 user accounts affected by a credential stuffing attack and the company forced users to reset their passwords to try to cut-off the attack.
According to Okta, 34% of account logins are attempted credential stuffing attacks and the company recorded more than 10 million events in just 90-days at the beginning of 2022.
What To Do?
There are two things that each and every one of us can do to stop credential stuffing attacks.
The first step is to use strong, unique passwords for every application/website. I know that is often easier said than done with many of us managing an average of more than 20 different logins. If anything, start with the truly critical and sensitive accounts like your email, work account, banking, healthcare, and online retailers.
The second step you can take to defeat credential stuffing attacks is to enable multi-factor authentication. For the regular user, despite the criticisms of it, MFA using SMS will be sufficient for securing bank accounts, etc. For those are are comfortable, a better option is an authenticator app on your mobile devices.
I suppose there is one more thing that I could recommend and that is to look into using a password manager. There are many options out there that provide secure and easy ways to store and retrieve the plethora of passwords that you’ll need to manage if you use strong and unique passwords for everything.