Credential stuffing is a cyberattack approach that uses stolen account credentials – typically usernames and passwords – to hack into online accounts by “stuffing” the stolen credentials into the login pages of other online services. Credential stuffing is performed in a large-scale automated fashion, and it has become one of the most common causes of data breaches.
Considering that a recent Google survey found that at least 65% of people reuse passwords across multiple sites, these stolen credentials are an asset for the cybercriminal. The cybercriminal knows that there’s a good chance that these stolen credentials will help them to access a variety of online accounts. Today, there are billions of compromised credentials available on the dark web and as the incidence of cybercrime continues to grow, the volume of stolen credentials available to the criminal will only expand.
Credential stuffing relies on automation to “stuff” millions of credentials into thousands of sites. The tools and services needed to automate a credential stuffing attack can incorporate “proxy lists” to make malicious access requests look like they’re coming from different IP addresses. They can also make access requests appear to be coming from a diverse set of browsers. There are even credential stuffing tools that will fool Captchas.
What Should You Do?
Well, the answer is easy – USE UNIQUE PASSWORDS! Don’t use the same password across multiple accounts and change your passwords regularly. If this sounds like a hassle, then try using a password manager. There are lots of good password managers out there and they’re easy and convenient to use. Additionally, turn on multi-factor authentication wherever you can.
From an organizational standpoint, make sure your dealership implements the proper cybersecurity defenses to enable your IT/cybersecurity team to detect things like thousands of malicious login attempts from a wide range of IP addresses all in a short period of time. Also, make sure that when you detect such activity that you have the resources and processes in place to stop the credential stuffing attack and quickly reset any account passwords that may have been compromised. Your dealership may also consider trying passwordless authentication. With passwordless authentication, you rely on a one-time code that is sent to you via email or SMS to login to an account. This code serves as your one-time, unique password.