Frequent data breaches and the widespread availability of automated tools to take advantage of the compromised information have greatly increased the efficiency of credential stuffing attacks, according to Sumit Agarwal, COO of Shape Security and former US Deputy Assistant Secretary of Defense.
In an interview with TechRepublic, Agarwal explained that credential stuffing is the use of stolen credentials to launch automated attacks against login forms. There are billions of stolen credentials for sale on the dark web. Since most people reuse passwords, the attackers have a good chance of finding another account that uses that same credentials.
Agarwal noted that all organizations can be vulnerable to credential stuffing, since they have no control over which passwords their employees use on other platforms.
“The most remarkable aspect of credential stuffing is that a given business does not have to be breached itself to suffer from credential stuffing,” Agarwal said. “The vulnerability is simply having a login form and having users.”
Agarwal said the first thing organizations need to do is realize they’re probably already facing credential stuffing attacks. They should therefore be monitoring accounts for brute forcing attacks and unusual login patterns. Organizations should also encourage their employees to use password managers rather than using the same password across many different accounts. New-school security awareness training can teach your employees about the ways they can be targeted by attackers and how to defend themselves and their organization.
TechRepublic has the story: https://www.techrepublic.com/article/how-credential-stuffing-attacks-work-and-how-to-prevent-them/
Here's how it works:
