One of the most crucial habits to break is recycling the same password for all the websites and apps you use. If a bad actor were to gain access to that one password, they could get into every one of your accounts. And yet we’ve all done it—and by “we” I mean me, Katy Perry, and even Drake, to name a few offenders. Take for example the breach of Zoom accounts this spring. The platform itself wasn’t hacked. Its accounts were subjected to credential stuffing: Hackers used a batch of previously stolen credentials to gain access to a large number of Zoom accounts.
So how do hackers get their hands on passwords in the first place and how are they then used in credential stuffing attacks? Find out more below.
Credential stuffing attacks work by choosing a target site and analyzing the site’s login sequence and processes. Then, a hacker can either create an automated script or use a configurable credential stuffing software to systematically test if the stolen credentials successfully log in to the target site. To mask their activity, the hacker will rent botnets—networks of computers controlled by hackers using malware—or a list of proxy IP addresses to make it appear as if login attempts were coming from real users on various computers. Eventually, the hacker will be successful on some sites with some credentials and they are able to take over those accounts and successfully steal assets.
While the process may sound complicated on paper, hackers can easily launch an attack within a few hours.
The best way to protect your accounts and data from credential stuffing attacks is to immediately stop reusing the same passwords on multiple accounts. All your accounts—but especially accounts related to retail, finance, travel, and government—should be protected with strong, unique passwords. A strong password should have a minimum of 8 characters and includes a mix of uppercase letters, lowercase letters, numbers, and special characters. Here are some additional tips to help you get out of the habit of reusing passwords: