SBN

Q&A: What is Credential Stuffing?

What is Credential Stuffing

Credential stuffing attacks on web applications have grown significantly in recent years. PerimeterX CTO and co-founder Ido Safruti and director of cybersecurity research Liel Strauch recently joined us to discuss credential stuffing attacks, also known as brute force attacks and account takeover attacks. Listen to the full podcast episode here.

Let’s go back to basics. In order to understand what credential stuffing attacks are, we need to establish context with other closely related terms. Brute force attacks, account takeover and credential stuffing are often used within the same breath. What are brute force attacks? What do businesses need to know about them?

Ido: Brute force attacks are where an attacker or malicious actor leverages machines or automation in order to go through a big set of tasks. They repeatedly try to take a large set of stolen credentials from a database or other list and go “brute force” on trying to figure out which of them work on a site — rapidly testing which of them are valid or not.

We’ve discussed account takeover attacks on the podcast previously when discussing user verification, top threats, and other vulnerabilities. It seems like these attacks are happening everywhere. So again, let’s establish context for credential stuffing with the basics: what is account takeover?

Ido: Account takeover is a more sophisticated instance of a brute force attack where the cybercriminal is specifically targeting account credentials in order to take over an account. In these specific cases, the attacker will leverage large data sets of users’ password combinations. There are billions of such credentials that have been leaked throughout the last few years that are available for purchase on the dark web or in other ways. These are popular sources to take login credentials for testing and validation.

Data breaches can result (Read more...)

*** This is a Security Bloggers Network syndicated blog from PerimeterX Blog authored by PerimeterX Blog. Read the original post at: https://www.perimeterx.com/resources/blog/2020/q-a-what-is-credential-stuffing/