Credential stuffing – are users themselves to blame?
Passwords get leaked, accounts breached – and it’s actually not the hacker to blame. How can this even happen?
Well, it already did. In 2020, around 300,000 Nintendo users’ accounts were breached, as the headlines said. However, after the investigation, it was clear that the Japanese gaming giant was responsible for only 1% of those breached accounts.
99% of the accounts were not breached. They were exposed to the credential stuffing attack.
What is credential stuffing ?
In short, credential stuffing is a practice when a hacker, or any other person who knows one of your passwords, tries it on other accounts.
If a person reuses his password on multiple platforms, it’s now the hacker’s turn.
Is credential stuffing a data breach?
Although credential stuffing is usually called an attack, it is not classified as a data breach.
The breach happens when a criminal finds the security vulnerability in the system and exploits it. Also, when the company itself fails to protect its users’ data and accidentally releases sensitive information to the public.
Contrarily, credential stuffing is the user’s failure to protect his own data. If a person reuses the same username and password combination on multiple platforms, it’s his decision that might have consequences.
By no means do we support what hackers do – but free candy is always free candy. If a hacker can exploit the user’s negligence, he will.
How do hackers’ access that first password?
This is usually caused by a data breach. When some type of company experiences a data breach (whether by internal failure or a deliberate external attack), their users’ data gets compromised. In most cases, all the exposed database is published in the publicly available forums and sold.
Anyone can purchase and download the lists of breached usernames and passwords in plaintext for a few dollars.
If you reuse your email and password combination at a few popular websites, there’s a high chance a bored person somewhere in the world will try it.
How to protect yourself?
You probably saw this coming, but still – never reuse your passwords, no matter how strong or complex they are. A strong password protects you on one platform, not the 10+ platforms you used it on.
Having covered the basics, we strongly suggest taking a step further – start using Two-factor authentication on all platforms that offer this feature.
By turning on the Two-factor authentication (especially for critical accounts), you make it immeasurably more difficult for a hacker to access your account. With 2FA, you not only need to type in your password, but you also need to additionally prove it is you who is accessing the account.
In this case, if a hacker obtains your password and tries it on any platform, he won’t be able to access it (even if the password is correct). You will immediately get a notification about the unrecognized login. It will serve as a red flag to change your password instantly.
PassCamp helps to get out of old habits.
Credential stuffing attacks happen every day. Only by breaking the old habits and acquiring new ones can you protect your digital data.
PassCamp – an intuitive password manager – helps you throughout the whole journey of password security.
In PassCamp vault, you can store all your complex passwords and without having to remember them. The tool assists you in generating a new password with a few clicks, saving it, and, when you need it and automatically filling the password for you. For the next level of data security, Two-factor authentication is also available for you.
Give automated, hassle-free password management a try. Try out PassCamp for free today.
