The guess-and-grab threat of credential stuffing

It's estimated that businesses lose an average $6 million per year due to credential stuffing, most of which is caused by downtime, increased security costs and lost revenue.

The guess-and-grab threat of credential stuffing

Through credential stuffing, hackers can generate thousands of login attempts per minute using data taken from previous breaches.

In the age of remote work, credential stuffing attacks are becoming more commonplace. Once a database is breached, bots are programmed to automatically attempt username and password combinations. When attackers identify credentials that work, they can move through profiles and access valuable data, enabling a range of activities such as e-commerce fraud, corporate espionage and data theft.

One hacked password can give a cybercriminal global access

Password reuse is the number one cause of data breaches, which is exactly why credential stuffing attacks are so dangerous. As Google points out, 65% of people rely on the same password for all of their online accounts, therefore attackers can easily take advantage of one vulnerability to gain access to several accounts using stolen credentials.

It’s estimated that businesses lose an average $6 million per year due to credential stuffing, most of which is caused by downtime, increased security costs and lost revenue. What’s more, regulators and victims are starting to shift the responsibility for credential stuffing attacks onto the businesses that suffer from them, resulting in fines and legal action. 

Under GDPR (General Data Protection Regulation), European businesses are required to implement security measures to protect against data breaches and hacking attacks affecting customers’ sensitive personal data. Any company that falls victim to an attack is liable, and can be taken to court for not doing enough to protect data. Beyond the loss of customer trust, the financial ramifications of legal fees and settlement payments can cripple any business.

Solving the password problem

Most users know they shouldn’t use the same password on multiple sites, but they do it anyway because it’s challenging to remember so many different passwords. While password managers are proven to be effective, some users don’t like the idea of entrusting their passwords to a third-party service. Businesses that are serious about protecting their customers from the threat of credential stuffing will need to rethink their dependence on passwords to secure accounts.

Using best practice authentication and encrypted Online Backup, businesses can significantly lower the risk of a credential stuffing attack.
Using best practice authentication and encrypted Online Backup, businesses can significantly lower the risk of a credential stuffing attack.

Fortunately, there are options available that protect and fortify businesses against the threat of credential stuffing attacks.

Passwordless authentication

Passwordless authentication is a way of verifying users with something they have (like a phone or another account) or something they are (like biometrics) instead of a password, ensuring that only verified users can log into their accounts.

Multi-Factor Authentication (MFA)

Leveraging an extra layer of security ensures that a user’s stored passwords cannot be used for hacking attempts. In this way, the attackers won’t have access to the secondary authentication option, such as a one-time code sent to a device associated with the user or biometric authentication, such as facial recognition.

Credential hashing 

Credential hashing can protect against credential stuffing by hashing password combinations before they’re stored on a database. This effectively scrambles a user’s passwords so that even if they’re stolen, an attacker won’t be able to use them. While this method can’t prevent a credential stuffing attack, it can limit what an attacker can do with those passwords.

Online Backup — the safety net

Generally, it’s not about if an attack will happen, but rather when. Especially when it comes to access credentials. So businesses increasingly need to look to the cloud and Online Backup as a way of fortifying critical data using a premium cloud storage service that can keep all critical operational data safe in the event of access being gained.

Arm your business against credential stuffing attacks

Using best practice authentication and encrypted Online Backup, businesses can significantly lower the risk of a credential stuffing attack. Adding multi-factor authentication, and using less vulnerable login procedures (such as advanced encryption), are steps that any business can take to ensure operational and customer safety.

CyberFortress has been helping millions of users around the world keep their data safe for more than two decades. It’s been able to do this using a highly-available, SSL-encrypted cloud storage service that’s separate from your production environment, allowing you to safely recover critical data with multiple copies in multiple locations.

Why not contact us and take advantage of a FREE system analysis from a global leader in online backup and data recovery service?

Share this on:
Search

Type and hit ‘Enter’ to search.