Credential stuffing attack: What is it and how to stay protected?

• Credentials stuffing attack is a type of cyber attack where attackers use usernames-passwords combinations leaked at other sites to gain illegal access on user accounts.
• Attackers attempt to use the stolen set of credentials against multiple websites in order to compromise and take full control of user accounts.

What is it - Credentials stuffing attack is a type of cyber attack where attackers use usernames-passwords combinations leaked at other sites to gain illegal access on user accounts.

• Attackers steal credentials that are leaked at other sites or sold at underground forums and try to brute-force those credentials into various other sites in an attempt to gain unauthorized access to the user account.
• Attackers attempt to use the breached credentials against multiple websites in order to compromise and take full control of user accounts.
• Before that, attackers use bots, computer programs, toolkits, or software to automatically test the list of breached credentials.

Examples of Credential stuffing attacks

Example 1 - Intuit, a victim of credential stuffing attack

In February 2019, the financial software company Intuit learned that TurboTax account users’ tax return information was compromised in a credential stuffing attack. The financial company disclosed that an unauthorized party accessed TurboTax accounts by using the username-password combination obtained from a non-Intuit source.

The unauthorized party who gained illegal access to TurboTax user accounts obtained information contained in the previous year's tax return or current tax return in progress.

• The exposed information included users’ names, Social Security numbers, addresses, dates of birth, driver's license numbers.
• The compromised information also included users’ financial information such as salary and deductions.

Example 2 - Dunkin’ Donuts suffered a credential stuffing attack

On January 10, 2019, Dunkin’ Donuts suffered a credential stuffing attack which led to attackers gaining unauthorized access to some of its customers’ accounts. Attackers used user credentials leaked at other sites to gain access to DD Perks rewards accounts.

DD Perks account includes information such as users’ first and last names, email addresses (also used as usernames), 16-digit DD Perks account number and DD Perks QR codes.

Once attackers gained access to customers’ Dunkin' Donuts accounts via credential stuffing attack, they have put up the breached accounts for sale. The accounts are then bought by other persons who use the reward points at Dunkin' Donuts shops to receive free beverages and other discounts.

It is to be noted that this is the second credential stuffing attack that Dunkin’ Donuts has experienced in the last three months. The first credential stuffing attack occurred on October 31, 2018.

How to stay protected?

• In order to stay protected from credential stuffing attacks, it is best to never reuse the same passwords across multiple sites.
• It always recommended to use unique passwords for each account and periodically rotate passwords.
• It is further recommended to use strong, complex, and unique passwords that are difficult to crack.

It is best to use two-factor authentication while login and log out after the session is complete.