Credential Stuffing

A cyber attack where stolen account credentials are used to gain unauthorized access to user accounts.

Description

Credential stuffing is a type of cyber attack where attackers use stolen username and password pairs to access various online accounts. This method exploits the common practice of users reusing login credentials across multiple services. In the context of Single Sign-On (SSO) protocols, which allow users to log in to multiple applications with one set of credentials, credential stuffing poses a significant risk. If an attacker acquires a valid username and password from a data breach, they can attempt to use those credentials across numerous sites that utilize SSO. This can lead to unauthorized access to sensitive information, financial data, and personal accounts. Companies may implement security measures like multi-factor authentication (MFA) to mitigate the impact of these attacks. However, users must also be vigilant by ensuring they use unique passwords for different services to reduce the likelihood of falling victim to credential stuffing.

Examples

  • In 2019, the online gaming platform Epic Games experienced a credential stuffing attack that compromised thousands of accounts.
  • In 2020, attackers used credential stuffing on the online retail giant Shopify, leading to unauthorized transactions for some merchants.

Additional Information

  • Using a password manager can help users create and store unique passwords for each service to avoid credential stuffing.
  • Implementing rate limiting on login attempts can help prevent attackers from executing mass login attempts.

References