ID Experts Home

Thieves have a Fast Track to your Assets with Credential Stuffing

August 12, 2019

​Why would a thief bother stealing your identity when they can steal your money directly? Answer: they wouldn’t. More and more criminals are taking a more direct route to people’s assets through a tactic called “credential stuffing.” The massive data breaches of recent years have made vast amounts of personal data available on the dark web, and bad guys are using it to take over financial and other accounts. So, let’s talk about how credential stuffing works and what you can do to defend yourself.

​In a nutshell, credential stuffing uses automation to “stuff” vast numbers of stolen usernames and passwords into the login pages of multiple online accounts. Think of it like a slot machine where players just keep stuffing in tokens until they hit the jackpot. Stolen information from data breaches is posted for sale, or even free, on the dark web. Criminals then buy the information and credential stuffing software (which retails on the dark web for as little as $50) to try millions of passwords on different accounts at financial services companies, retail businesses, and other organizations. Only a small percentage of the attempts succeed, but once they’re in, thieves can drain accounts completely or use credit accounts for large purchases.

​So, why does credential stuffing work? Because remembering multiple passwords can be stressful, many people use the same password and sometimes user ID for multiple accounts. For example, if your credit card issuer has a data breach and you use the same password on your bank or other account, a credential stuffer can just keep trying that password on different sites until they get lucky. And because they’re breaking into an existing account with an existing password, they won’t trigger security alarms.

Fortunately, there are several things you can do to protect yourself against credential stuffing:

  • Never use the same password on multiple accounts. Consider a password manager to help you generate and manage unique passwords for all your accounts.
  • Change passwords often. That way, a stolen password is likely to be out of date by the time a criminal gets it from the dark web.
  • Whenever possible, set up your financial accounts with two-factor authentication so a credential stuffer can’t get in with your password alone.
  • Set up alerts so you get immediate notification and can take action if there is unauthorized activity.
  • Use a dark web monitoring service such as CyberScanTM to see what information might already be compromised and to get alerts when more of your personal information appears on the dark web. While CyberScan is already included with a MyIDCare membership, it is also available for everyone to try for free at https://try.myidcare.com/cyberscan/. Once you know what information is compromised, you’ll have a better understanding of how to protect yourself like what credentials to change immediately and what accounts to watch.

​With massive amounts of stolen data on the dark web and with the easy availability of credential stuffing software, this kind of crime is becoming more frequent. A recent article in SpyCloud reported that, already, up to 43 percent of logins submitted through most sites are account takeover attempts. And once your assets are gone, recovering them is no small feat. So, protect yourself in all the ways outlined above, and, in case the worst happens, make sure you have an identity protection plan such as MyIDCare, from ID Experts, that guarantees 100% recovery from ID theft or fraud.

Is Your Data For Sale on the Dark Web?

Find Out w/ CyberScan
Ask an Expert
Dollars for Data: How Criminals Make Money with Your Identity
January 12, 2018

​In previous articles, we’ve explored who commits identity theft, how your data gets stolen, and the definitions of different types of identity theft. Now we’ll look at how your personal data is turned into a tool for crime and profit. ​Imagine that a data breach has occurred. You don’t…

​In previous articles, we’ve explored who commits identity theft, how your data gets stolen, and the definitions of different types of identity theft. Now we’ll look at how your personal data is turned into a tool for crime and profit. ​Imagine that a data breach has occurred. You don’t…

Learn More
Did You Know?
The Truth About Dark Web Scans
July 24, 2019

The dark web is often portrayed like a horror movie, and for good reason. The best horror movies rely on fear of the unknown: the unseen monster picking off the spaceship crew one by one, or the ancient menace sensed only as a ripple in the water or a tremor in the ground. Those monsters are a lot…

The dark web is often portrayed like a horror movie, and for good reason. The best horror movies rely on fear of the unknown: the unseen monster picking off the spaceship crew one by one, or the ancient menace sensed only as a ripple in the water or a tremor in the ground. Those monsters are a lot…

Learn More
{/exp:minimee:js}