Credential Stuffing Prevention — 12 Top Tips For Securing You And Your Business
Published Jun 2020
Credential stuffing’s popularity rose dramatically in 2018 — in fact, Akamai recorded nearly 30 billion credential stuffing attacks in 2018 — and businesses certainly haven’t seen the last of this type of cyber attack. For example, on 24 May 2019, a credential stuffing attack enabled criminals to access up to 139 million profiles on the popular graphic design platform, Canva. So businesses that take cybersecurity seriously need to protect against credential stuffing cyber attacks.
What is credential stuffing?
A credential stuffing attack is a type of brute force cyber-attack used to gain unauthorised access to one or more user accounts. Criminals use an automated system to enter large numbers of previously breached username and password pairs into website login fields to see if any of them match existing accounts. The attacker then hijacks any accounts they’re able to log into.
In most cases, the best way to deal with credential stuffing is to prevent it from happening in the first place.
How to prevent credential stuffing?
Businesses can prevent credential stuffing attacks in two main ways: they can ensure that their staff implement personal cybersecurity measures, and implement security measures for their business.
Personal cybersecurity measures
Every individual staff member should:
Use a unique password for every account they create on every website
A password manager can make this much easier because it means users only have to remember one password (the master password for their password manager). Many password managers also automatically create strong passwords.
One such password management solution is Dashlane, which is included as a complimentary value-added service in Chubb’s Cyber Enterprise Risk Management (Cyber ERM) policies.
Use multi-factor authentication (MFA) to protect accounts wherever possible
Companies like Facebook and Google add MFA to their users’ accounts so logging in using such accounts is good security practice.
Refrain from using their corporate email address to sign up for websites
Using corporate email addresses attracts unnecessary attention to the organisation and makes it harder to prove whether the employee or hacker was responsible for the actions taken while an account was compromised.
Company cybersecurity measures
Once all staff members are taking adequate security precautions, the risk of their credentials being stolen is significantly reduced. And if a set of credentials for one account is stolen, the damage will be reduced as well because it will be limited to a single account. Implementing the following proactive and reactive company cybersecurity measures will further reduce the likelihood that a business’s systems will be compromised by a credential stuffing attack.
Implement a MFA system
This includes requiring all employees and customers/clients to log into all company systems using MFA.
Perform an internet presence assessment to determine which corporate systems are visible from the internet. These are potential gateways to the organisation’s systems and should be monitored closely.
Perform security testing on all internet-connected systems including:
Virtual Private Networks (VPNs)
Protect all stored passwords with hashing so a data breach doesn’t reveal any actual login details.
Monitor for breaches including breaches where:
The business’/ employee’s credentials are stolen
Stolen credentials are used to fraudulently access the business’ accounts
Educate users about appropriate personal security measures such as using unique passwords across different websites etc.
Use web application firewalls that can help to monitor for attacks and identify breaches.
Monitor frequency of attacks
Systems that are attacked more often may warrant more stringent security measures
A sudden increase in cyber attacks on a given system may indicate there has been a breach somewhere
Develop an incident response plan and rehearse it frequently to ensure that all stakeholders are familiar with their roles and responsibilities in a breach.
These 12 tips were first shared during Chubb’s ‘Credential Stuffing Debunked’ webinar, by guest speaker, Jeremy du Bruyn, Practice Manager at Sense of Security Pty Ltd.
No part of this article may be reproduced in any written, electronic, recording, or printed form without written permission of Chubb.
@2022 Chubb. The contents of this document are for informative purposes only and do not constitute advice. Please review the full terms, conditions and exclusions of our policies to consider whether they are right for you. Coverage may be underwritten by one or more Chubb companies or our network partners. Not all coverages and services are available in all countries and territories. Chubb® and its respective logos, and Chubb. Insured.SM are protected trademarks of Chubb.