The Threat of Data Theft: Credential stuffing

The Threat of Data Theft: Credential stuffing

When we talk about cyber attacks against companies, one word usually comes to mind: malware.  These software can infect systems and not only valuable confidential corporate information but also users, customers, employees, company suppliers, etc.  It’s also capable of stealing information.

What is credential stuffing?

A credential stuffing attack is a cyberattack in which a criminal attempts to gain access to user accounts on a platform by automatically enumerating the registration data he has using data stolen as a result of a data breach.

A cybercriminal would need to obtain or purchase a database with user credentials to carry out this type of assault (logins and passwords). The next step is to use these credentials to connect to the vulnerable platform. Because current credentials are not always guaranteed to be correct, the cybercriminal’s strategy is to initiate an automated authorization process by iterating the credentials until the credentials match.  Furthermore, authorisation processes are carried out via unique botnets designed specifically for this platform, allowing them to be seen as legitimate users. A credential stuffing assault can be successfully terminated if login is successful.


These cyber attacks are affecting an increasing number of businesses. Dunkin’ Donuts was the most recent victim worldwide. The corporation revealed the identity theft in November, which was then exploited in an attack on users of the DD Perks loyalty and rewards program.  This log data was collected as a result of a data breach, albeit Dunkin Donuts maintained that the incident occurred in the systems of their providers who provided access to third parties, rather than in their own system. Because the user information from a previous hack had vanished, fraudsters utilized it to access DD Perks accounts as well as log in to other platforms using the same credentials.

But there was another occurrence right on the verge of the most serious credential stuffing attack. Due to the previous large data breach in 2016, almost 500 million Yahoo accounts were seriously impacted. When Yahoo revealed information about the event, several users received emails from people claiming to work for Yahoo, with a link to fix the problem. These emails, however, were a phishing attempt by a different cybercriminal gang.

In Turkey, a prominent catering firm stated in this month of 2021 that users’ names, surnames, e-mail addresses, phone numbers, and address information had been taken. It was said that no financial information or passwords, including credit card information, were acquired, and that there was no breach of the company’s mobile application’s Facebook and Apple accounts. The National Incidents Response Center and the Istanbul Chief Public Prosecutor’s Office were then notified.

The success rate of such attacks and how to avoid them

When considering the possible impact of credential stuffing attacks, it’s crucial to keep a few things in mind. Such attacks typically have a success rate of roughly 1%.

However, it’s important to remember that many of these cyber attacks rely on databases storing millions of user credentials. While this percentage is low, it indicates that success rates are high enough in absolute terms that a breach of corporate information security can have a significant negative impact on the company’s reputation.

As a result, businesses should take the necessary precautions to avoid data breaches and potential credential stuffing assaults.

  1. Two factor authentication

Two-factor authentication (2FA) is one of the most frequent ways used by corporations and platforms to ensure that their users’ connections are as secure as possible. However, as we saw earlier, two-factor authentication is not error-free, as it can be circumvented by tricking Users into entering their credentials into fake portals.

  • Information security solutions

Data breaches are frequently the result of bad corporate information security management rather than users’ bad password management, therefore a company’s security cannot wholly rely on consumers to correctly maintain their passwords. At this point, making penetration tests for companies and other Secromix products will help you.

  • Raising awareness of employees

Companies also need to train their employees to follow a set of preventive measures.  They are often the easiest entry point for cybercriminals to break into a corporate network.  Employees should remain vigilant and not share sensitive data via email (to avoid phishing, tech support scams or BEC scams) and report the incident to the company’s IT department if they encounter any problems.