What do criminals do with all of those passwords they steal? One answer is credential stuffing. The bad guys know that most people reuse logins and passwords at multiple sites, so when they get credentials from one site (e.g., from a data breach at Yahoo or any one of thousands of others) they try the combinations at other sites looking for matches. The success rate is typically only 0.1 to 2%, but by testing hundreds of thousands or even millions of combinations, they may be able to successfully access accounts.
One example is a credential stuffing attack launched against the project management service Basecamp. They experienced 30,000 malicious login attempts from a range of IP addresses in just one hour. They blocked the IPs as quickly as possible and they were able to stop the attack by implementing a Captcha. When the dust had settled, Basecamp discovered that the 30,000 attempts had resulted in accessing just 124 accounts. Basecamp reset those account passwords to lock the hackers out.
Basecamp’s quick action protected their customers’ accounts. Another strategy companies can use is to track fraudulent logins and blacklist the associated IP address. This won’t completely stop the hackers, but it can make it more difficult for them to carry out their attacks.
There are limited security measures companies can adopt to prevent credential stuffing attacks or at least limit their success; however, when a site is attacked it is not the fault of that site. The hackers are using credentials obtained elsewhere to access the site under attack. Ultimately, websites do not have a foolproof way of defending against credential stuffing. As Basecamp’s CTO and co-founder David Heinemeier Hansson said, “Our ops team will continue to monitor and fight any future attacks. … But if someone has your username and password, and you don’t have 2FA (two-factor authentication) protection, there are limits to how effective this protection can be.”
That means that ultimately the responsibility for protecting our accounts is in our hands. Consumers can protect themselves from credential stuffing attacks by using unique passwords for each account (a password manager can help) and by turning on two-factor authentication where it is available.