Credential Stuffing – Industry Commentary from Tenable
Posted: Monday, Jan 22

i 3 Table of Contents

Credential Stuffing – Industry Commentary from Tenable

Credential Stuffing – A Growing Hacking Technique

There is a new hack scheme in town that has affected thousands of Australians who own online accounts with some of our biggest brands.

Known as ‘credential stuffing’, scammers are taking advantage of customers who use the same email address and password combinations as logins, obtained from one breach, across multiple accounts online. This can result in fraudulent transactions being made using payment information saved on site.


Expert Commentary

As this news develops, we would like to share the below commentary from cybersecurity company Tenable, discussing in further detail what credentials stuffing means for both consumers and companies.

Credential stuffing attacks are a major issue for organisations that enable users to log-in to accounts using usernames and passwords. Because there are so many websites that require log-in credentials, users are inclined to reuse passwords across several websites because remembering passwords is difficult. What complicates this matter is that websites are being hacked and user data is being sold on the dark web for a small sum. In some cases, the data is freely shared around.

The availability of this breach data is a boon for cybercriminals, who recognise user behaviour and tendencies to re-use passwords. Therefore, they take the breach data and try to use these credentials on other websites. They figuratively “stuff” credentials into these websites in hopes of successfully logging in.


In The Real World

In some cases, such as the Dan Murphy’s or Guzman y Gomez credential stuffing attacks, the attackers can use saved payment information (such as credit card) or gift cards added to these accounts to purchase goods.

For users, it is important to not re-use passwords across multiple websites. While remembering passwords isn’t easy, there are tools available, such as password managers, that can make it easy to create log-ins for multiple websites and not require the user to remember each and every password.

For organisations, there are other ways to help thwart credential stuffing attacks. These include adding Multi-Factor Authentication (MFA) as an additional security measure to stop attackers from logging in even if they do possess stolen credentials. Companies may also look to try to identify leaked passwords found in other breaches by comparing them against breached password datasets. But ultimately, MFA is likely to be the most impactful implementation to thwart these types of attacks.

Satnam Narang
Satnam is a charismatic Staff Research Engineer with 15+ years’ experience in cybersecurity across web filtering, antivirus, anti malware, and vulnerability management. He has helped companies build research teams and enhanced existing teams through his experience in research and content development. A self-proclaimed “social media scam whisperer,” his research into social media scams over the last decade has earned him placement in major publications including The New York Times, The Wall Street Journal, and The Washington Post. As a public spokesperson, he is regularly quoted in a variety of security trade publications and has appeared on the NBC Nightly News, Entertainment Tonight, Bloomberg Business, BBC World Service, CBS News, and PBS Studio SoCal. An early adopter of new technologies, apps, and services, Satnam was the first person to discover spambots on Tinder, fake Cash App giveaways, and a plethora of scams on TikTok. He was also one of the first people to disclose cryptocurrency giveaway scams on Twitter.
Share This