skip to main content

Credential stuffing prevention — 12 top tips for securing you and your business

12 top tips

Credential stuffing’s popularity rose dramatically in 2018 — in fact, Akamai recorded nearly 30 billion credential stuffing attacks in 2018 — and businesses certainly haven’t seen the last of this type of cyber attack. For example, on 24 May 2019, a credential stuffing attack enabled criminals to access up to 139 million profiles on the popular graphic design platform, Canva. So businesses that take cybersecurity seriously need to protect against credential stuffing cyber attacks.


What is credential stuffing?

A credential stuffing attack is a type of brute force cyber attack used to gain unauthorised access to one or more user accounts. Criminals use an automated system to enter large numbers of previously breached username and password pairs into website login fields to see if any of them match existing accounts. The attacker then hijacks any accounts they’ve been able to log into.

As is almost always the case, the best way to deal with credential stuffing is to prevent it from happening in the first place.


How to prevent credential stuffing

Businesses can prevent credential stuffing attacks in two main ways: they can implement security measures for their business, and ensure they and their staff implement personal cybersecurity measures.


Personal cybersecurity measures

Every staff member should:

  1. Use a unique password for every account they create on every website
    • A password manager can make this much easier because it means users only have to remember one password (the master password for their password manager). Many password managers also automatically create strong passwords.

    • One such password management solution is Dashlane, which is included complimentary in Chubb’s Cyber Enterprise Risk Management (Cyber ERM) policies.
  2. Use multi-factor authentication (MFA) to protect accounts wherever possible
    • Companies like Facebook and Google add MFA to their users’ accounts so logging in using such accounts is good security practice.
  3. Refrain from using their corporate email address to sign up for websites
    • Using corporate email addresses attracts unnecessary attention to the organisation and makes it harder to prove whether the employee or hacker was responsible for the actions taken while an account was compromised.


Company cybersecurity measures

Once all staff members are taking adequate security precautions, the risk that their credentials will be stolen is significantly reduced. And if a set of credentials for one account is stolen, the damage will be reduced as well because it will be limited to a single account. Implementing the following proactive and reactive company cybersecurity measures will further reduce the likelihood that a business’s systems will be compromised by a credential stuffing attack.

  1. Implement a MFA system. This includes requiring that all employees and customers/clients log into all company systems using MFA.

  2. Perform an internet presence assessment to determine which corporate systems are visible from the internet. These are potential gateways to the organization’s systems and should be monitored closely.

  3. Perform security testing on all internet-connected systems including Virtual Private Networks (VPNs).

  4. Protect all stored passwords with hashing so a data breach doesn’t reveal any actual login details.

  5. Monitor for breaches including breaches where:
    • The business’/ employee’s credentials are stolen

    • Stolen credentials are used to fraudulently access the business’ accounts
  6. Educate users about appropriate personal security measures such as using unique passwords on different websites.

  7. Use web application firewalls that can help monitor for attacks and identify breaches.

  8. Develop an incident response plan and rehearse it frequently to ensure that all stakeholders are familiar with their roles and responsibilities in a breach.


© 2022 Chubb. All rights reserved.

No part of this article may be reproduced in any written, electronic, recording, or printed form without written permission of Chubb.

Disclaimer - All contents of this article are intended for general information/guidance purposes only and not intended to be an offer or solicitation of insurance products or personal advice or a recommendation to any individual or business of any product or service. This article should not be relied on for legal advice or policy coverage and cannot be viewed as a substitute to obtaining proper legal or other professional advice, or for reading the policy documents. You should read the policy documents to determine whether any of the insurance product(s) discussed are right for you or your business, noting different limits, exclusions, terms and conditions apply in each country or territory, and not all cover is available in all countries or territories.

Contact us
Contact us

Have a question or need more information?

Contact us to find out how we can help you get covered against potential risks