How to Protect Your Business from Credential Stuffing Attacks

Posted by Chris Selby-Rickards on 19-Apr-2018 14:21:00

Around 5 billion stolen credentials are available on the dark web, and cybercriminals like to use them in credential stuffing attacks. Learn how credential stuffing attacks work and what you can do to protect your company from them.


Around 5 billion stolen credentials are up for grabs, according to security researchers who monitor the dark web. These credentials, many of which come from data breaches, are exploited by numerous cybercriminals.

Cybercriminals know that many people reuse their passwords, so they use the stolen usernames and passwords in credential stuffing attacks. In this type of attack, hackers use botnets to test stolen credentials on various websites in hope that they find a match and gain access. This automated testing is done slowly using many different IP addresses to avoid setting off alerts (e.g., three unsuccessful login attempts) that could expose the attack.

Credential stuffing attacks are proving to be particularly problematic for companies. They are now the single largest source of account takeovers on web and mobile apps, according to one 2017 study.

There are several measures you can take to protect your business from credential stuffing attacks. For starters, let your employees know about the dangers of reusing passwords. Encourage them to create a unique password for not only their business accounts but also their personal ones. That way, if one of their personal account passwords is stolen in a data breach, hackers won’t be able to use it to access your company’s accounts.

Another way to protect your business is to set up two-step verification systems for your business’s web and mobile apps. With two-step verification, people need to provide an additional piece of information to log in, such as a one-time security code. Also encourage employees to use two-step verification for personal online accounts when possible. Many cloud service providers, retailers, and financial institutions now provide this functionality.

Finally, you might consider using a credential validation service (e.g., EyeOnPass). Each time someone tries to register, log in, or change their account password, the service checks the password against a database of known compromised credentials. If found in the database, the person is informed and required to change their password.

Free white paper: Protect against Ransomware

Topics: cybersecurity, data breach, Disaster Recovery, fileless attacks, firewall, solutions, breach, breaches, Business operations, Data, data backup, helpdesk, IT Support, phishing, policy, ransomware, service, support, theft, anti virus, Backup, business, cloud, computers, cyber, cyber threats, cyberattack, cybercrime, fraud, IT Services, london, MSP, passwords, protection, security, small business, technology

Welcome to our Blog

We post new content every week!

Hopefully you will find it interesting and useful. We post on a variety of IT related topics including Best Practise advice, Top Tips and How To's.

At SpecTronics we've helped lots of small and medium sized businesses with their IT & Telecoms. Here's just some of the ways we could help you!

  • IT Support including Helpdesk and Onsite engineers
  • Cloud Telecoms/VoIP & Unified Comms solutions
  • A good cuppa and a chat if you just want some impartial IT advice!

So, if IT and all things tech leave you scratching your head, or you simply just don't have the time to manage it yourself Contact us and we can schedule in some time to plan a solution.

Subscribe Here!

Recent Posts

Posts by Tag

See all