Credential stuffing is the automated use of revealed username and password combinations to illegally gain access to user accounts and, if necessary, take them over completely.
The term “credential stuffing” is made up of “credentials” and “stuffing”. With this procedure, the login mask of a website, e.g. an online shop, is automatically filled in. Long lists of disclosed login data are processed. The calculation behind it: Some of these login data will still be valid and can then be misused, e.g. to shop in this online shop. These lists of credentials come from incidents where criminal hackers were able to steal credentials. For example, if they hacked an email provider, an online shop or a credit card company and gained access to the login data stored there. These lists are sold or even circulate free of charge on the Internet. Credential stuffing is always successful, as many users use their passwords multiple times and rarely change them. As a result, even older lists of login data remain interesting for cybercriminals. The hackers do not enter the login data manually, but automatically, via so-called bots. This allows them to test almost any number of data for validity. The result: According to the IT security company Shape Security, credential stuffing attempts account for an average of 80 – 90% of the login traffic of any online shop.
In your everyday work, you usually encounter the topic of credential stuffing indirectly. For example, if you log in to your user account on a website and are asked to enter numbers and letters from a distorted image in addition to your login data. Bots and thus credential stuffing attempts fail at this so-called captcha code.
As part of the Perseus IT security check, you will find out whether your email address appears on the known credential stuffing lists. If this is the case, the following recommendations are all the more important for you.
The more often you change your password, the faster your login data will lose its relevance if it is stolen. If this has already been done, you should change all passwords that you use in combination with the respective email address.
Ideally, you should not use a password twice. A password manager will help you with this feat of memory (see next paragraph). If this is not an option for you at the moment, use as many different passwords as possible. User accounts whose criminal exploitation would cause particularly great damage are necessarily given unique passwords that are as complex as possible.
A password manager is a program that generates an individual, complex password for each user account and remembers it for future visits. All you need to do is remember the password for the password manager itself. In general, password managers offer a high level of security. But they are not infallible. Since these are programs, they can theoretically also be hacked.
Therefore, protect as many user accounts as possible with two-factor authentication.
Two-factor authentication offers a lot of security. We recommend: Use them on all accounts that give you the opportunity.
