Credential Stuffing: What is It and How Does It Affect eCommerce?

What is credential stuffing?

Credential stuffing is one of the most common forms of online crime, it is the act of testing stolen passwords and usernames against website login forms, to validate the credentials for malicious reuse. Once a match is found, the attacker can easily commit various types of fraud.

When credentials are stolen through a database breach, malware, or other means, they are kept for use in future attacks against many different targets. Many of these lists are shared privately amongst attackers or become publicly available.

Attackers are innovative, they are always thinking of new ways they can monetise breached accounts.

There are several common signs that bot activity has occurred, such as the number of login attempts and failures from unusual locations, uncommon traffic patterns and speed.

What fuels credential stuffing?

Credential stuffing is an ever-growing problem, in the UK alone 53% of all fraud committed is online. These types of attacks are becoming ever cheaper to conduct.

Bot tooling and automation software can be free to use, making it easier for automated credential stuffing attacks. In some cases, attackers can gain something for nothing. Scott said: “You could potentially stage a credential stuffing attack for free.”

Whilst credential stuffing has likely been around for quite some time, large collections of credentials have been made public over the last few years, make it easier for attackers to start partaking in credential stuffing for minimal effort.

How does credential stuffing affect eCommerce?

Credential stuffing is easy to perform, so its popularity with cybercriminals will continue to increase with time

We know that cybercriminals take over accounts and perpetrate a fraud on eCommerce companies and their customers. When a business suffers from stolen credentials, it can cost them severely, with attackers able to make illegal purchases, claim existing rewards or loyalty points and acquire personally identifiable information (PII).

It is vital that credential stuffing attacks are stopped to protect eCommerce websites from fines and chargebacks while securing customers against the threat of data breaches.

Prevent credential stuffing with Netacea

At Netacea, credential stuffing is one of the many threats we aim to mitigate for our clients. If you’re an eCommerce business owner looking for a solution to credential stuffing, get in touch with Netacea today.