Credential stuffing
Credential stuffing attacks target your username and password. When data breaches occur, cybercriminals can gain access to large datasets of usernames and passwords on the dark web, then use automated tools to attempt logging into multiple platforms to gain access. They are often successful when people reuse the same username and password across multiple sites.
You can see how disastrous it might be if your username and password for social media were compromised and you used those same credentials for your credit card login, online banking and email.
Credential stuffing attacks are very common and often target banking customers. Here are steps to guard against these attacks:
- Discover if you have been impacted by a data breach.
- Sites like Haveibeenpwned.com record usernames and passwords that were uncovered in a data breach. It only requires you to enter your email address and then it tells you which service was breached. From there, you have the information you need to reset accounts that use that username and password combination.
- Use unique usernames and passwords for online accounts.
- If you are impacted by a breach, do not stop at simply resetting your password. Our recommendation is to reset your username and password to something unique – something that you do not use for any other online account. This makes it much harder for the cybercriminals to access your data.
Tips to avoid credential stuffing
- Use unique usernames that include at least one number.
- Create long passwords or passphrases. Fifteen characters or more are recommended. Learn more.
- Use a password manager to help you keep usernames and passwords secure.
- Use two-factor authentication tools that verify your identity via codes, fingerprints or facial recognition.
- Frequently monitor your accounts to quickly report signs of suspicious activity.