In December 2022, Norton users were put on high alert after threat actors compromised the security application with a credential-stuffing attack. Norton’s security team locked down about 925,000 accounts after detecting a suspicious flurry of login attempts from Norton Password Manager users.

After the investigation, news broke that the cyber criminals successfully cracked the codes to “thousands of accounts,” which put the personal information of the users at risk.

Credential stuffing attacks make up 34% of all login attempts, as malicious actors attempt to take over your account. But just how does it work, and what can we do to stop these campaigns? Let’s find out.

What is a credential stuffing attack, and how does it work?

Credential stuffing is a common cyberattack where actors use automated software to rapidly test lists of stolen login credentials to gain unauthorized access to online accounts.

So, how does credential stuffing work? Attackers take the following steps:

  1. Buy or download a list of usernames and passwords from the dark web. These data sets are sold on illicit marketplaces after a data breach.
  2. Set up automated bots to attempt logins to multiple user accounts. The bots can evade detection by masking their IP addresses.
  3. Gain access to accounts whenever the bots find a match. At that point, the attackers can steal personal information, like credit card numbers or social security numbers.
  4. Monitor the bots as they try successful password combinations to access other accounts. As 65% of people rely on the same password for multiple accounts, there is a high chance of cracking multiple accounts with the same password pair.

What’s the difference between credential stuffing and brute force attacks?

A brute force attack is another attack method with a few subtle differences from credential stuffing.

In credential stuffing, attackers make login attempts using leaked or stolen password data from real accounts. But in brute force attacks, attackers attempt logins by guessing commonly used passwords and dictionaries of common passphrases.

Also, credential-stuffing threat actors know they have genuine credentials and simply need to find a matching account. Whereas anyone trying a brute force attack won’t have any context about the correct credentials of the targets.

For that reason, brute-force attacks rely on blind luck or easy-to-guess passwords. Credential stuffing is a numbers game, but with automation, it can be highly profitable.

What are the consequences of credential stuffing?

For consumers who fall victim to credential stuffing attacks, there is a real risk the perpetrators could steal sensitive data, damage their financial reputation and target them with identity theft.

Here are six things to be aware of if you’re targeted by credential stuffing:

  1. Compromised accounts. If threat actors gain access, they could install spyware, steal or destroy data or impersonate the account holder to send spam or launch phishing attacks on other targets.
  2. Data leaks. Many attackers try to break into financial institutions or high-value government targets, as they can sell the data on illicit online marketplaces to identity thieves and gangs with political aims.
  3. Account lockouts. After too many failed login attempts, your account’s security system could lock you out. This may disrupt your business or restrict access to key accounts like email or banking.
  4. Ransomware demands. State-sponsored hacking groups may take control of a critical infrastructure facility or large enterprise to demand a ransom payment.
  5. Increased cybersecurity risks. Stolen user credentials can be used for future attacks, which puts victims and any closely related parties at greater risk after the initial breach.
  6. Negative impact on business reputation. Consumer trust will take a nosedive if your company suffers a breach. When thousands or millions of users feel the threat to their private data, it can cost a company on the stock market. The average cost of a data breach was $4.35 million in 2022.

3 recent examples of credential stuffing

1. July 2022, A Major Outdoor Apparel Company

Cyber criminals used credential stuffing to target this outdoor recreation apparel company. The attack compromised almost 200,000 customer accounts, exposing details including names, phone numbers, gender, purchase history, billing addresses and loyalty points. Soon after, the company sent out notification letters about the data breach, urging customers to change their passwords.

2. December 2022, A Large Payment Processing Company

An attack impacted almost 35,000 user accounts of this payment processor. While some personal data was exposed, the company reported no unauthorized transactions but the attack exposed names, social security numbers and tax identification numbers.

3. January 2023, A Prominent Fast Food Chain

This fast food chain confirmed a breach that accessed over 71,000 customer accounts. Threat actors conducted a credential stuffing attack for several months, gaining access to use customers’ reward balances. The stolen data may also have included physical addresses and the last four digits of customer credit cards.

What can security teams do to stop credential-stuffing attacks?

2022 saw a 45% year-on-year growth of credential stuffing attacks in the financial sector. As thriving companies build their platforms and attract more users, the potential gains become more tempting for nefarious cyber criminals.

Here are six steps security teams can take to combat this threat:

1. Implement multi-factor authentication (MFA).

By adding an extra layer of security to user accounts, you make it harder for threat actors to gain access. Even if someone has the right credentials, it’s unlikely they will also have your phone, hardware key or biometric data. Companies that use MFA internally can lock down their systems against credential stuffing.

2. Use password managers.

While there have been a few breaches at popular password managers lately, these applications remain a staple of modern digital security. Instead of relying on memory or simple, easy-to-guess passwords, everyone can use password managers to create and store long, unique, complex codes for every account and device.

3. Encourage better password practices.

Educating users with online content is good, but security teams must practice what they preach to protect consumer data. A proactive approach to eliminate password reuse, sharing codes or writing login information down on paper will reduce the chance of insider attacks.

4. Watch out for unusual behavior around login attempts.

A consistent monitoring approach can foil fraud. When you notice a sudden spike in login attempts or unusual patterns, you can block the IP address and warn legitimate users about the attempted hack. Encouraging compromised account owners to update their passwords will help break the attack lifecycle.

5. Use rate-limiting.

Another defensive mechanism is rate-limiting, which stops malicious bots from making too many login attempts in a short period. This security feature will stall progress on automated attacks and often thwart the actor’s ability to exploit an account or overwhelm the network with a Denial of Service (DoS) campaign.

6. Monitor the dark web.

Collection #1-5 contains 22 billion usernames and passwords, many of which are easily crackable with attacker dictionaries. To stay one step ahead of emerging cyber threats, your team should monitor the dark web for such collections and reinforce vulnerabilities before an attack happens.

Security teams must protect and educate users

Malicious actors can build an army of automated bots that run thousands or millions of fraudulent login requests a day. Auth0 detected almost 300 million credential stuffing attempts per day in early 2022.

To combat this growing threat, users must embrace good password practices and reliable password managers. But the real responsibility for data protection lies with website security teams and app providers.

If your team is going to disrupt the attack cycle and keep threat actors at bay, you need a multi-faceted approach that combines robust access control, threat monitoring and rate-limiting safeguards. Ultimately, the strongest defense is built on education and a culture of security.

More from Data Protection

Data security tools make data loss prevention more efficient

3 min read - As businesses navigate the complexities of modern-day cybersecurity initiatives, data loss prevention (DLP) software is the frontline defense against potential data breaches and exfiltration. DLP solutions allow organizations to detect, react to and prevent data leakage or misuse of sensitive information that can lead to catastrophic consequences. However, while DLP solutions play a critical role in cybersecurity, their effectiveness significantly improves when integrated with the right tools and infrastructure. Key limitations of DLP solutions (and how to overcome them) DLP…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today