What is a credential stuffing attack?

Did you know that there was over $500 million dollars of consumer loss for data breaches in 2023? (According to the 2023 IC3 annual report.)  

One way cybercriminals can gain access to accounts during a data breach is by using credential stuffing attacks. Credential stuffing or stealing attacks use stolen usernames and passwords to attempt to take over a user’s account. This process is repeated over and over while cybercriminals try to find a successful match in order to takeover an account.    

Process of a credential stuffing attack 

Red flags 

• Watch for any type of suspicious login activity 
• Notice any unusual account lockouts 
• Receive multiple authentication attempts to approve a device when you are not trying to access the account 

How to minimize risk 

• Never reuse the same password 
• Use multi-factor authentication 
• Use a password manager 

Potential business implications 

• Financial loss 
• Organization's reputation damage 

Credential Stuffing Attacks in the News 

Chick-fil-A
PetSmart

Reporting Crimes 

Report all crimes to your local police department and to the following agencies:

• Michigan Cyber Command Center (MC3)
• Internet Crime Complaint Center (IC3)

How LaScala Can Help 

Contact us today at sales@lascala.com and get started on proactive threat hunting, security awareness training, and more security protection.  

Sources 

1 - Internet Crime Complaint Center (IC3): https://www.ic3.gov/
2 - Fortinet: https://www.fortinet.com/resources/cyberglossary/credential-stuffing
3 - Proofpoint: https://www.proofpoint.com/us/threat-reference/credential-stuffing 

Disclaimer  

Please respect all trademarks mentioned in this document as their respective owners.