4 December 2020

Credential stuffing attacks: How to keep your user data safe

Earlier this year, over 500,000 Zoom accounts went up for sale on the dark web and other illicit forums for a fraction of a dollar each. In some instances, these credentials were being distributed for free. The information available for purchase included various aspects of user data: email addresses, passwords, meeting URLs, and their Host Keys – the 6-digit PIN used to claim to be the host of a particular meeting. The method of attack that allowed them to obtain the data was Credential Stuffing.

The account details of over half a million users were obtained through credential stuffing attacks, where malicious actors use emails and passwords that were exposed in past data breaches and attempt to gain access to other apps and websites.

So how does Credential Stuffing work exactly?

  • Malicious actors acquire the credentials that are already available from previous, unrelated data breaches.
  • They use these stolen usernames and passwords and test them against a large number of websites and apps in an automated fashion. These sites and apps often include social media, online marketplaces, educational institutions, and so on.
  • Once they have a hit, it allows the attackers to successfully log in to the account and take over.
  • The attackers scrape the accounts for any valuable information such as credit card details, connections to other services, and personally identifiable information like birth dates, social security numbers, and more.

In essence, credential stuffing only works because username and password recycling is rampant among users. When a user uses the same username-password combination across multiple apps or websites, only one breach is needed to get access to that user’s credentials and it allows attackers to try the same combination in popular websites and eventually gain access.

Passwords can be changed, but there is a lot of information that can’t be changed: personally identifiable information. When a user’s data stored in your app or website is breached, data pertaining to personal identity is scraped and stolen. This includes real names, social security numbers, home/work addresses, email addresses, and even financial information that might lead to further issues. This data never expires, meaning that even if you change your password every hour, you can’t change most of these aspects of life to protect yourself against malicious actors to conduct identity fraud. This is the real issue with data breaches.

What measures can be taken to prevent this?

1. Only store what’s absolutely needed.

If at all possible, don’t store any sensitive or personally identifiable information. The only way for the data to be secure is if you don’t have it in the first place. What’s not there can not be stolen in a possible data breach after all.

If your app or website handles sensitive information, don’t keep it for longer than needed. It’s up to you how long you think you need that data for, and your data retention policy should be able to justify it. Additionally, you should periodically review the data you have on users and do your best to delete or anonymize it, as per GDPR requirements.

2. Encryption

When storing user data, it’s always a good idea to keep the information encrypted. As demonstrated perfectly by plaintextoffenders.com, even the biggest players on the internet are guilty of this. Keeping your user data in plain text defeats the purpose of every precaution you can take to ensure security because it means the information is there, already exposed, waiting to be stolen by either an employee or an outside attacker.

It’s especially effective against inside jobs or phishing attacks that target employees. No company or an employee is perfect, meaning an intrusion is inevitable in the long run. Keeping user data encrypted properly minimizes the risks of data breaches and the consequences.

3. Put two-factor authentication measures in place.

Passwords aren’t safe anymore. It can be argued that they were never safe to begin with, but that’s another conversation. With rampant data breaches and user credentials being sold on black markets for pennies, businesses need another paradigm for their user authentication systems.

Implementing a two-factor authentication solution into your user log-in process eliminates the aforementioned credential stuffing attacks altogether. Even if a user’s credentials are out there for everyone to see and exploit, with 2FA, nobody will be able to log in except the real owner of that account, thanks to additional methods of verifying a user such as OTP. Doing away with passwords altogether is yet again another option, as outlined in our blog in the past.

If you’re looking for a verification solution, VerifyKit has you covered. VerifyKit is a flexible verification solution that enables you to deliver one-time passwords to your users via SMS, and popular IM platform WhatsApp. Using IM platforms that are tied to your users’ unique phone number hardens your log-in security even further and eliminates the risk of attacks such as credential stuffing, as users use their personal phones to log in to your app or website. Not only that, using IM services instead of traditional text messages reduces your cost of user verification. Check VerifyKit out today.

Most Viewed Posts

18 September 2020

What is the Best Phone Number Verification Method for Your Users?

SMS provides a secure way to authenticate users during phone number verification, but it’s not your only option. This article explains. Phone numbers offer the benefit of being unique; every mobile phone owner is assigned a different number. Stealing someone’s phone number or obtaining...

1 April 2021

4 Tips for Better Mobile App Security

The number of mobile apps is growing daily, and the issues of mobile app security and privacy continue to intensify as a result. Security professionals are growing more and more worried that common web app security practices aren’t cutting it anymore. While security professionals are busy...

24 February 2021

Going global: the challenges of app localization

You have your app up and running and it’s ready for prime time on the app stores. It can be downloaded and enjoyed by billions of people around the world, as app stores are global marketplaces for apps. Technically, yes, that is true. App stores are a great way to reach global audiences, but...

16 March 2021

4 mobile app development tips for start-ups

Say you have a brilliant start-up idea and you need a killer app to go with it. If you’re just beginning to set sail on your app development journey, it might get a little difficult navigating the waters of app development. We put together several app development tips for start-ups in this blog...

7 June 2021

The story of VerifyKit

Every brand has an origin story. Ours is one of dedication and hard work, how we developed VerifyKit and nurtured it to the global brand that it is today. In a nutshell, it’s the story of challenging ourselves at every corner, finding our own solutions to the problems we face, and sharing...

4 September 2020

Why Phone Number Verification is Crucial for Account Security

Security is a top reason as to why app developers are turning to phone number verification to authenticate users. This article explains. A big concern for app developers is account security; how to verify that users are genuine human beings and not scammers or hackers. Email verification...

25 September 2020

How to Cut User Verification Costs

User verification is a must to ensure your app attracts genuine users – but it comes at a cost. Learn how to cut verification costs below.  Account security – how to keep users safe from scammers and hackers – is a leading priority for app developers. For that reason, user...

19 August 2020

Creating a Binary Framework in iOS with Swift

We all use a lot of frameworks in our daily development routine. We just type the magical word “import” and it’s all set. But what’s happening behind that import statement? How do you make it possible for your fellow developers to use your classes with just one line of code? Today, I’ll...

18 January 2021

5 Tips for Developers Who Are on the Road to Success

The field of software development is extremely diverse and it continues to grow every year. More and more people are entering the industry every day and there are many different ways of doing it. Some choose to go to college/university to pursue a degree, some go to coding boot camps for a crash...