Around 5 billion stolen credentials are up for grabs, according to security researchers who monitor the dark web. These credentials, many of which come from data breaches, are exploited by numerous cybercriminals.
Cybercriminals know that many people reuse their passwords, so they use the stolen usernames and passwords in credential stuffing attacks. In this type of attack, hackers use botnets to test stolen credentials on various websites in hope that they find a match and gain access. This automated testing is done slowly using many different IP addresses to avoid setting off alerts (e.g., three unsuccessful login attempts) that could expose the attack.
Credential stuffing attacks are proving to be particularly problematic for companies. They are now the single largest source of account takeovers on web and mobile apps, according to one 2017 study.
There are several measures you can take to protect your business from credential stuffing attacks. For starters, let your employees know about the dangers of reusing passwords. Encourage them to create a unique password for not only their business accounts but also their personal ones. That way, if one of their personal account passwords is stolen in a data breach, hackers won’t be able to use it to access your company’s accounts.
Another way to protect your business is to set up two-step verification systems for your business’s web and mobile apps. With two-step verification, people need to provide an additional piece of information to log in, such as a one-time security code. Also encourage employees to use two-step verification for personal online accounts when possible. Many cloud service providers, retailers, and financial institutions now provide this functionality.
Finally, you might consider using a credential validation service (e.g., EyeOnPass). Each time someone tries to register, log in, or change their account password, the service checks the password against a database of known compromised credentials. If found in the database, the person is informed and required to change their password.