Myth Busting: Are you really protected against credential stuffing?

As people provide more personal information to sites across the Internet, hackers and fraudsters find new ways to access important credentials.
Using these stolen credentials, malicious actors can take over accounts and steal personal data, creating a snowball effect that can be devastating for your business.

Test Your Credential Stuffing Knowledge

Not only do your users risk their personal information being compromised or sold off, but your organization can also suffer catastrophic financial loss and brand damage. It’s more critical than ever to really understand the threat of credential abuse.
See how much you know.

One employee's credentials sold on the dark web can give a hacker access to a company's main database.

True False

It's true. Hackers often obtain credentials from employees, usually as a result of a data breach, to hack into the company's main database of user records. Meaning – millions of usernames, passwords, and sensitive personal information (such as date of birth, social security numbers and financial data) are stolen from multiple websites and sold on the dark web to other fraudsters.

The worst kinds of information hackers can steal from your customers or employees are their passwords.

True False

It's false. The world’s biggest data breaches have resulted in much more than just stolen login information. Hundreds of millions of records can be swiped in a single breach, with each record including an individual’s name, date of birth, social security number, address, phone number, email address, or even banking information.

Sophisticated anti-attack strategies – such as IP blocking, rate limiting, JavaScript restrictions, and browser fingerprinting – are solutions that protect against credential stuffing.

True False

It's false. Bots used in credential stuffing and web fraud are among the most sophisticated. While it's relatively easy to stop script kiddies and downloadable abuse tools (such as Sentry MBA) fraudsters will find a way to get by them, often by leveraging bots that mimic human behavior. IP blocking, rate limiting, JavaScript challenges, and browser fingerprinting are no longer sufficient methods to stop these types of attacks.

The best way to respond to a detected bot without them knowing is to serve up an “incorrect username/password” page.

True False

It's true. As important as detection is to solving the credential stuffing problem, response is even more critical. Responding in such a way that the attacker is unaware they have been detected can mean the difference between success and failure. Sophisticated bot detection capabilities, the ability to identify bot traffic origin, and granular bot traffic reporting can go a long way toward protecting your site.

You can prevent your customers’ credentials from being stolen or compromised by locking the targeted account after an abnormal amount of login attempts have been detected.

True False

It's false. In most cases, attackers use dictionaries of username and password combinations that were leaked from a data breach. Hackers often try a single login attempt per account. Locking accounts based on a single attempt is a risky move and can impede on your user’s experience.

The Internet's growing pool of IP addresses is the number one enabler in the rise of credential stuffing.

True False

It's false. While a growing pool of IP addresses does make data breaches more feasible, it is not the number one enabler of the credential stuffing trend. There are deeper forces at work. First, online accounts have steadily become more common in day-to-day life. Second, hackers have amassed huge databases of compromised credentials over the years, and have evolved their techniques to make hacking easier and more profitable.

When monitoring IP addresses, detecting too many login attempts over time is a good indication of malicious activity.

True False

It’s true. Five login attempts in five minutes is suspicious. However, five login attempts over five hours can also represent a legitimate user's behavior, especially if many users share the same IP address. Plus, run-time monitoring mechanisms use CPU and memory, which limit security controls to monitor the login activity timeframe (and in most cases don’t exceed a 60-minute window). Unfortunately, hackers understand these limitations and have found ways to use them to their advantage.

Bust The Myths – Stay In The Know

Learn more about credential stuffing and how you can protect your business, your brand, and your customers.

See How