Credential stuffing’s popularity rose dramatically in 2018 — in fact, Akamai recorded nearly 30 billion credential stuffing attacks in 2018 — and businesses certainly haven’t seen the last of this type of cyber attack. For example, on 24 May 2019, a credential stuffing attack enabled criminals to access up to 139 million profiles on the popular graphic design platform, Canva. So businesses that take cybersecurity seriously need to protect against credential stuffing cyber attacks.
A credential stuffing attack is a type of brute force cyber attack used to gain unauthorised access to one or more user accounts. Criminals use an automated system to enter large numbers of previously breached username and password pairs into website login fields to see if any of them match existing accounts. The attacker then hijacks any accounts they’ve been able to log into.
As is almost always the case, the best way to deal with credential stuffing is to prevent it from happening in the first place.
Businesses can prevent credential stuffing attacks in two main ways: they can implement security measures for their business, and ensure they and their staff implement personal cybersecurity measures.
Every staff member should:
Once all staff members are taking adequate security precautions, the risk that their credentials will be stolen is significantly reduced. And if a set of credentials for one account is stolen, the damage will be reduced as well because it will be limited to a single account. Implementing the following proactive and reactive company cybersecurity measures will further reduce the likelihood that a business’s systems will be compromised by a credential stuffing attack.
All contents of this article are intended for general information/guidance purposes only and not intended to be an offer or solicitation of insurance products or personal advice or a recommendation to any individual or business of any product or service. You should read your policy, including all attachments, for complete information on the coverage provided. Chubb has no obligation to provide any services for loss mitigation. The policyholder is under no obligation to contract for services with any of the Chubb pre-approved service providers. The selection of a particular service provider is the independent choice of the policyholder. Chubb is not a party to any agreement entered into between any service provider and the policyholder. It is understood that the service providers are independent contractors, and not agents of Chubb. Chubb assumes no liability arising out of any services rendered by a service provider. Chubb also assumes no liability arising out of a delay in user access to any service provider portal, or delay in services rendered by a service provider, during any complimentary trial period. Chubb shall not be entitled to any rights, or subject to any obligations or liabilities, set forth in any agreement entered into between any service provider and the policyholder. Any rights and obligations with respect to such agreement, including but not limited to billings, fees and services rendered, are solely for the benefit of, and borne solely by, such service provider and the policyholder, and not Chubb. Neither Chubb nor its employees or agents make any warranties or assume any liability for the performance of any service provider, including any goods or services received. Chubb does not endorse the service providers or their respective services. Before a policyholder engages with any cyber service provider, the policyholder should conduct its own due diligence to ensure the company and its services meet the policyholder’s needs.