Credential stuffing is a term you may not have heard before. This doesn't mean, though, that you haven't been the target of a large-scale and successful cyberattack. There is a type of attack going on here, and we will tell you how to defend yourself.
What does "credential stuffing" mean?
Cyberattacks can come in many forms, ranging from very easy to very hard. Social engineering attacks are the simplest. These are when attackers use people's communication skills and trustworthiness to get their hands on credentials and other private data.
For cyberattacks to be more complex, the attacker has to get past more than one layer of security, steal data, and work to process it further. The first step in a credential stuffing attack is to process the data, especially if it is a list of logins or email addresses with passwords that go with them. The attack works like this, and it can have an effect on you.
Like many people who use the Internet, let's say you have a lot of accounts for different services. You might have a few "important" logins that are very valuable, like your email, bank, or other accounts. Or you might have a lot of low-value logins, like one for a car forum that you have only used a few times over the years. or an account you made on a site that gives coupons.
Most of the time, bank or email service systems are safe online. This way, sensitive information is kept safe, and it's not likely that someone will hack into a bank or email account and get all of the usernames and passwords. You can't say the same thing about a coupon site or a car forum.
If someone breaks into these sites and steals all the user data, what will happen?
Hackers will get your password, username, and email address. After stealing information, the thieves will put it into automated systems that try to log in to thousands of services to see which ones the credentials work for.
It's not a good habit to use the same username, email address, and password for multiple sites. If there is a data breach on a small forum, it could lead to all the important services you use, like banking and email.
In the real world, this is like opening all the doors with the same key. They will have a key that works for your home, car, office, safe, gym locker, etc. if you lose your key or someone makes a copy of it. The clear reason we don't use the same keys is this.
How can I keep myself safe from this kind of fraud?
When compared to more complex cyberattacks, credential stuffing is very common and easy to do. Luckily, it is also very easy to stop. Let's look at ways you can protect yourself from these kinds of attacks.
- Make passwords that are hard to guess.
It's true what they say about cybersecurity, and you'll hear it over and over again. Having a lot of keys for each door is the best way to get around the "one key for all doors" problem.
If you've had the same password for 10 years, now is a good time to change it. Each site and service needs its own password that can't be used on any other site or service.
- Keep track of your passwords.
Without tools to help you, it's hard to remember complicated, one-of-a-kind passwords for dozens or even hundreds of services. Get something to keep track of your passwords. Make a strong password that is hard to guess that you can remember to get into the manager, and then use the manager to make more strong passwords.
A good password manager can not only make complex passwords for you, but it can also add them to websites automatically and keep them up to date. In addition, some managers may check passwords for security holes.
- Turn on two-factor authentication
A lot of people don't use Multi-factor Authentication (MFA) because they don't want to go through extra steps every time they log in to a website. Multi-factor authentication is a good way to make your credentials even safer, even though it might be inconvenient at times.
Credential stuffing can't happen to you as long as you use the same passwords and multi-factor authentication is turned on for your account. Someone could steal your username and password from a website that isn't secure, but they wouldn't be able to get to your multi-factor authentication app, phone, or other tools for authentication.
Delete your account if you don't use it to make it less likely that someone will hack it. That's not possible? Then log in and change your password (with a password manager, of course). If an unused service is hacked, this way, the only thing that gets out is a unique, hard-to-crack password that can't be used anywhere else.
- Use a service that gives you a different email address.
With aliases, you can make as many email addresses as you want without having to register your main email address on each site. This way, you can keep your real email address secret and send unique emails.
You can protect your privacy with an email alias service, and it will also keep you from getting spam. Also, hackers won't be able to see your real address if the site where you registered an alias is hacked. Hackers will see "email@example.com" instead of your email, which could have your first name, last name, and birth year. This can't be used to steal your credentials.
Don't forget the first and most important tip we gave you, no matter how you solve the problem. The best way to protect yourself from credential stuffing is to use a complex password that is different for each service. It's best to start using unique passwords right away.