Share This:

Credential stuffing has been around for a while, and it is exactly what it sounds like: an attack in which hackers use a cache of compromised usernames and passwords to break into a system. However, hackers have recently found new ways to make it more effective, namely the arrival of artificial intelligence (AI), which allows for a far more algorithmic-driven strategy.

These types of attacks are on the rise because hackers have new AI-driven tools. The 2024 Verizon Data Breach Investigations Report (DBIR) states that external actors perpetrated 83 percent of breaches. Of these breaches, 49 percent involved the use of stolen credentials.

Cybercriminals often find lists of usernames and passwords on the dark web or as a by-product of a previous cyber-attack. For example, www.HaveIBeenPwned.com has tracked over 8.5 billion compromised credentials from over 400 data breaches.

Notable attacks

Some notable, recent credential stuffing attacks include:

  • Dunkin’: Dunkin’ and its customers were victims of many credential-stuffing attacks beginning in 2015. New York State sued the doughnut and coffee chain, and now Dunkin’ will be required to maintain safeguards to protect against similar attacks in the future. They will also have to follow incident response procedures when an attack occurs and pay $650,000 in penalties and costs to the state of New York.
  • Norton: In January 2023, Norton Lifelock Password Manager was hit with a brute-force credential stuffing attack. Threat actors used stolen credentials to log into customer accounts and access their data. Over 925,000 people were targeted in this attack.
  • Hot Topic: American retailer Hot Topic disclosed in March 2024 that two waves of credential stuffing attacks in November 2023 exposed affected customers’ personal information and partial payment data. The Hot Topic fast-fashion chain has over 10,000 employees in more than 630 store locations across the U.S. and Canada, the company’s headquarters, and two distribution centers.
  • Roku: Roku warned in April 2024 that 576,000 accounts were hacked in new credential stuffing attacks after disclosing another incident that compromised 15,000 accounts in early March of 2024. The company said the attackers used login information stolen from other online platforms to breach as many active Roku accounts as possible in credential-stuffing attacks.

These are just a handful of high-profile examples. Most credential-stuffing attacks occur outside of the media glare, day after day, in offices and enterprises worldwide.

MSPs can prevent and mitigate credential stuffing

Experts offer a variety of advice for managed service providers (MSPs) to follow when it comes to warding off credential-stuffing attacks.

Nametag CEO Aaron Painter tells SmarterMSP.com that basic cyber hygiene is the best defense.

“MSPs should help their clients implement a layered approach to account security, which includes phishing-resistant multi-factor authentication (MFA) protected by a secure account recovery experience,” Painter explains, adding that MFA has to be part of a holistic package of protections.

“It doesn’t matter if you use the strongest form of MFA if bad actors can simply exploit the reset process or socially engineer your helpdesk,” says Painter.

MSPs deliver tremendous value to their clients by recommending easy-to-implement helpdesk verification and account recovery solutions that use verification factors resistant to phishing, interception, and AI-generated deep fakes.

Education and strong password practices are key

Meanwhile, Yashin Manraj, CEO of Pvtol, said that most credential stuffing mitigation comes down to user training.

“Despite the exponential increase in data breaches and leaked username and password pairs, credential stuffing is only a successful methodology because of poor training, cybersecurity hygiene, and personal convenience in recycling passwords,” Manraj says. He also shares it is important for MSPs to regularly monitor breached datasets and run appropriate tests and scans to identify potentially vulnerable credentials preemptively.

Manraj adds, “Most modern practices involve halting active sessions and access before forcing a password reset before users can resume access.”

Marin Cristian-Ovidiu, CEO of Onlinegames.com, says unique passwords are the key to walling off a credential-based attack. “One practical approach we’ve championed is the use of unique passwords for each site. This strategy effectively minimizes risk. If one password falls into the wrong hands, it won’t compromise your other accounts,” he says. He goes on to emphasize that such basic but vital practices are key. They keep digital invaders at bay and safeguard their online presence.

Strengthening defenses against credential-stuffing attacks requires a comprehensive strategy that combines robust security measures, user education, and proactive monitoring. By implementing these practices, MSPs can significantly enhance their clients’ cybersecurity posture and reduce the risk of breaches.

Photo: February_Love / Shutterstock


Share This:
Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *