Understanding and Preventing Credential Stuffing Scams

The convenience of online services has come with the ever-present challenge of protecting personal information. One prominent threat that you, as an internet user, face in Australia is credential stuffing.

In this article, we will clarify what credential stuffing is, outline the risks, and provide insights into how you can prevent and protect against this cyber threat.

What is Credential Stuffing?

Credential stuffing is a cyberattack technique where cybercriminals source previously leaked or stolen usernames and passwords to access to online accounts.

This malicious practice preys on the common behaviour of people using the same email address and password across multiple online accounts, making it easier for cybercriminals to infiltrate different accounts.  

In other words, hackers use our stolen login credentials and "stuff" it into as many websites as possible. Once they are able to log in, they can then access our other accounts without you or the website knowing. That's because hackers know many people use the same email address and password combinations for multiple online accounts.

What are the risks involved?

The repercussions of falling victim to a credential stuffing attack can be severe. Cybercriminals exploit compromised accounts for financial gain or identity theft, accessing sensitive information such as credit card details or personal details and using this to: 

• make fraudulent purchases; 

• open credit facilities in your name which they then draw down on and you are left with the debt; or  

• use compromised accounts to launch additional attacks, spreading viruses into people’s computers or engaging in fraudulent activities—all under the guise of your legitimate account. 

Credential Stuffing in Australia: A Snapshot

Credential stuffing is one example of a cybercrime. Nearly 94,000 cybercrimes were reported in the 2023 financial year, which is up 23% from the previous year.  

A recent example of credential stuffing occurred in January 2024, where over 15,000 Australian customers of sites including The Iconic, Dan Murphy’s, Event Cinemas, Binge, Ticketek and home shopping network, TVSN, were affected by a credential stuffing operation. According to media reports, the cybercriminals behind the attack purchased the stolen login details from overseas sources. 

Cybercrimes cost Australians’ hundreds of millions of dollars a year with the average cost running at close to $40,000 per incident.  

How to Prevent Credential Stuffing Scams

1. Create strong and different passwords each account  

   • Create complex passwords that include a mix of uppercase and lowercase letters, numbers, and special characters. We recommend using a minimum length of 12 and preferably 14 or more characters (computers are becoming faster).  

   • For example, a 12 character password that only uses numbers will take a second to crack. A password using 12 characters that mixes numbers, symbols, upper and lower case, can take thousands of years and making it 14 characters takes the time to millions of years. 90% of online passwords can be cracked in 6 hours or less, so it’s quite easy to make your accounts less likely to be hacked when there is so much low hanging fruit for cybercriminals. 

   • Avoid using easily guessable information like birthdays or common words. 

   • Consider using a reputable password manager to help generate and store strong, unique passwords. Ballingers uses LastPass.  

2. Enable Multi-Factor Authentication (MFA) 

   • MFA adds an extra layer of security by requiring you to provide additional verification beyond just a password. This could be a temporary code to your phone or email address or generated by an authenticator app on your phone. 

   • Ensure you have MFA set up on all email accounts and social media accounts.  

3. Regularly Update Passwords 

   • Change passwords periodically to reduce the risk of compromised credentials being used for unauthorised access. We recommend at least once a year for important logins such as your bank accounts.  

   • Be particularly vigilant after data breaches, as leaked passwords may be used in credential stuffing attacks. 

4. Monitor Account Activity 

   • Regularly review your account activity for any suspicious logins or you could set up alerts for unusual account activities to receive immediate notifications. 

5. Stay Informed About Data Breaches 

   • Keep yourself updated on data breaches and promptly change passwords for affected accounts. 

   • Many organisations provide tools that allow you to check if your email or password has been compromised in a breach. A good place to start is Have I been pwned? 

By adopting proactive measures such as strong password practices, MFA, and staying informed about the evolving risk of cyber threats in Australia, you can safeguard your online accounts.  

References: 

• What is credential stuffing? How does it work? How can I protect myself from being scammed through my online accounts? - ABC News

• Credential Stuffing: Escalating Cybercrime Trend in 2024 | AUCloud (australiacloud.com.au)

• ASD Cyber Threat Report 2022-2023 | Cyber.gov.au

• Guzman y Gomez, Dan Murphy’s customers affected in credential stuffing campaign - Cyber Daily