While data breaches might be a heist best left to the experts, credential stuffing is a poor-man’s sport. And it’s a pretty popular game. In a 2020 report, RSA recognized it as “gaining tremendous momentum” and cited the then-recent breaches (Marriott, Capital One, Equifax) as providing the fodder used in those attacks – your usernames and passwords. Credential Stuffing Attacks (CSAs) complete the cycle, really. What good is a data breach if you don’t utilize the data? Credential stuffing uses (and overuses) the contraband credentials to try to access other accounts of yours – assuming you use the same password.
Called “the most popular way to obtain compromised credentials for account takeover,” CSAs are ubiquitous enough to require you to take action or eventually risk being a victim. Coming in all varieties, CSA entrepreneurs have their specialties – some to take over accounts, other to steal data, but their attacks are non-discriminating. So, at the risk of making this an effective “how-to” manual for rookie threat actors, let’s delve into the basics of what constitutes the increasingly popular credential stuffing attack – and how to avoid it.