Credential stuffing attacks: How to keep your user data safe

Earlier this year, over 500,000 Zoom accounts went up for sale on the dark web and other illicit forums for a fraction of a dollar each. In some instances, these credentials were being distributed for free. The information available for purchase included various aspects of user data: email addresses, passwords, meeting URLs, and their Host Keys – the 6-digit PIN used to claim to be the host of a particular meeting. The method of attack that allowed them to obtain the data was Credential Stuffing.

The account details of over half a million users were obtained through credential stuffing attacks, where malicious actors use emails and passwords that were exposed in past data breaches and attempt to gain access to other apps and websites.

So how does Credential Stuffing work exactly?

• Malicious actors acquire the credentials that are already available from previous, unrelated data breaches.
• They use these stolen usernames and passwords and test them against a large number of websites and apps in an automated fashion. These sites and apps often include social media, online marketplaces, educational institutions, and so on.
• Once they have a hit, it allows the attackers to successfully log in to the account and take over.
• The attackers scrape the accounts for any valuable information such as credit card details, connections to other services, and personally identifiable information like birth dates, social security numbers, and more.

In essence, credential stuffing only works because username and password recycling is rampant among users. When a user uses the same username-password combination across multiple apps or websites, only one breach is needed to get access to that user’s credentials and it allows attackers to try the same combination in popular websites and eventually gain access.

Passwords can be changed, but there is a lot of information that can’t be changed: personally identifiable information. When a user’s data stored in your app or website is breached, data pertaining to personal identity is scraped and stolen. This includes real names, social security numbers, home/work addresses, email addresses, and even financial information that might lead to further issues. This data never expires, meaning that even if you change your password every hour, you can’t change most of these aspects of life to protect yourself against malicious actors to conduct identity fraud. This is the real issue with data breaches.

What measures can be taken to prevent this?

1. Only store what’s absolutely needed.

If at all possible, don’t store any sensitive or personally identifiable information. The only way for the data to be secure is if you don’t have it in the first place. What’s not there can not be stolen in a possible data breach after all.

If your app or website handles sensitive information, don’t keep it for longer than needed. It’s up to you how long you think you need that data for, and your data retention policy should be able to justify it. Additionally, you should periodically review the data you have on users and do your best to delete or anonymize it, as per GDPR requirements.

2. Encryption

When storing user data, it’s always a good idea to keep the information encrypted. As demonstrated perfectly by plaintextoffenders.com, even the biggest players on the internet are guilty of this. Keeping your user data in plain text defeats the purpose of every precaution you can take to ensure security because it means the information is there, already exposed, waiting to be stolen by either an employee or an outside attacker.

It’s especially effective against inside jobs or phishing attacks that target employees. No company or an employee is perfect, meaning an intrusion is inevitable in the long run. Keeping user data encrypted properly minimizes the risks of data breaches and the consequences.

3. Put two-factor authentication measures in place.

Passwords aren’t safe anymore. It can be argued that they were never safe to begin with, but that’s another conversation. With rampant data breaches and user credentials being sold on black markets for pennies, businesses need another paradigm for their user authentication systems.

Implementing a two-factor authentication solution into your user log-in process eliminates the aforementioned credential stuffing attacks altogether. Even if a user’s credentials are out there for everyone to see and exploit, with 2FA, nobody will be able to log in except the real owner of that account, thanks to additional methods of verifying a user such as OTP. Doing away with passwords altogether is yet again another option, as outlined in our blog in the past.

If you’re looking for a verification solution, VerifyKit has you covered. VerifyKit is a flexible verification solution that enables you to deliver one-time passwords to your users via SMS, and popular IM platform WhatsApp. Using IM platforms that are tied to your users’ unique phone number hardens your log-in security even further and eliminates the risk of attacks such as credential stuffing, as users use their personal phones to log in to your app or website. Not only that, using IM services instead of traditional text messages reduces your cost of user verification. Check VerifyKit out today.