What is credential stuffing?

Even if it was only because the title piqued your interest, we’re happy you’re here because we want to warn about the latest in personal cybersecurity attacks; it comes from you reusing login credentials. It’s such an important topic that we believe it’s worth its own article.

We all did it, especially on our early days of creating online accounts. We all made that password (or even more than one!) that combines:

• The name of a pet, a friend or a relative;
• Two or three super easy digits –something like a year, or even easier yet, 001, 100 or even the all-time favorite 123; plus
• One of those symbols that online systems always want us to use, like ¡”#%&()/?

And we were so proud of ourselves when the system told us it was a strong password. Truth be told, in their days those passwords were indeed very safe; that’s likely why we felt we could use them easily on a variety of webpages.

A variety of webpages

We all have one or more of these passwords that we have been using for years now on various webpages. When we forget the login credentials on a page we seldom visit, we always try these passwords first, before we have to click that “forgot password” button. Because it’s easy and it works often, right?

The root of the problem

Credential stuffing comes precisely from that bad habit of hours, one that over 80% of web users have* had at some point. Reusing login credentials on a variety of webpages is a mistake that cybercriminals are cashing in on right now.

Unravelling a person’s identity

Let’s imagine Anthony, who has password “Max123?” because Max is his dog’s name. Anthony has used that password for the following:

• In 2016 he created a profile on his favorite online newspaper so he could get a few free articles a month.
• In 2017, because everyone at work was doing it, he created a LinkedIn account; he forgot about that because he had a great job.
• He signed up on a forum for model airplane builders in 2018.
• In 2020, he created an account at his alma mater to request transcripts and a copy of his diploma.

Pandora’s Box

A hacker breaks in to the model airplane aficionado’s forum and steals everyone’s credentials. He uses specialized software to test their credentials on a bunch of other webpages; this is what is commonly referred to as credential stuffing. As it’s an automated tracking system, the hacker can afford to check thousands upon thousands of websites. This is what he obtains using Anthony’s login credentials:

• His full name and date of birth (he gets that from the newspaper site).
• His previous address, phone number and works history from LinkedIn, as well as his photo.
• Anthony’s current address, tax ID number and full information on his college history.
• Full information on two bank cards: Anthony’s debit card that he’s had since 2020 and that he uses to pay a quarterly subscription at the newspaper these days; and his credit card, which he used to pay for his transcripts and diploma.
• Several answers to Anthony’s standard security questions on the various web portals the hacker was able to access.

The hacker puts up all the login credentials plus the personal information of not just Anthony’s, but everyone else’s too, for sale on the dark web for about $10 per person. Within a month Anthony has unauthorized purchases on his credit card and checking account. When going to set a fraud alert on his credit report, he finds a couple of loans in his name that are not his, as he is also the victim of identity theft.

Statistics

This is happening worldwide every day. An in-depth report from F5, a global enterprise dedicated to application delivery networking and app security** indicates:

• The number of successful cyberattacks with credentials theft has doubled between 2016 and 2020.
• Both companies and organizations are failing to detect these intrusions, taking on average 327 days to detect them.
• In 2017 credential theft affected 17 million individuals.