One of the most crucial habits to break is recycling the same password for all the websites and apps you use. If a bad actor were to gain access to that one password, they could get into every one of your accounts. And yet we’ve all done it—and by “we” I mean me, Katy Perry, and even Drake, to name a few offenders. Take for example the breach of Zoom accounts this spring. The platform itself wasn’t hacked. Its accounts were subjected to credential stuffing: Hackers used a batch of previously stolen credentials to gain access to a large number of Zoom accounts.
So how do hackers get their hands on passwords in the first place and how are they then used in credential stuffing attacks? Find out more below.
5 ways hackers steal passwords
- The theft of a database containing your login credentials – This is one of the largest sources of stolen credentials to date.
- Phishing and social engineering attacks – This is a method in which a hacker will send a phishing email to steal your account information or trick you into clicking a malicious link and entering your credentials on a false site.
- Keyloggers, browser injectors, and other malware – Hackers may try to get users to download malware (a malicious software program) to capture your login credentials, payment information, and other artifacts including private information.
- Password attacks – Password attacks, like a brute force attack, use automated software programs designed to crack or guess your password.
- WiFi monitoring – Never sign into an account while connected to a public or insecure WiFi connection if you are not protected by software such as a VPN. Hackers can use readily-available network monitoring tools to intercept your credentials and other data.
How credential stuffing attacks are used to exploit your reused passwords
Credential stuffing attacks work by choosing a target site and analyzing the site’s login sequence and processes. Then, a hacker can either create an automated script or use a configurable credential stuffing software to systematically test if the stolen credentials successfully log in to the target site. To mask their activity, the hacker will rent botnets—networks of computers controlled by hackers using malware—or a list of proxy IP addresses to make it appear as if login attempts were coming from real users on various computers. Eventually, the hacker will be successful on some sites with some credentials and they are able to take over those accounts and successfully steal assets.
While the process may sound complicated on paper, hackers can easily launch an attack within a few hours.
What is the best way to protect your accounts from hackers using credential stuffing attacks?
The best way to protect your accounts and data from credential stuffing attacks is to immediately stop reusing the same passwords on multiple accounts. All your accounts—but especially accounts related to retail, finance, travel, and government—should be protected with strong, unique passwords. A strong password should have a minimum of 8 characters and includes a mix of uppercase letters, lowercase letters, numbers, and special characters. Here are some additional tips to help you get out of the habit of reusing passwords:
- Use a password manager – If you’re having difficulty creating and managing long, complicated passwords, use a password manager like Dashlane. It has a built-in password generator to help you create strong passwords for new accounts, and security alerts to notify you immediately to change your passwords after a data breach.
- Enable two-factor authentication – Enable two-factor authentication (2FA) on all online accounts, especially on highly-targeted websites and apps like your social media and online banking accounts.