Credential stuffing: A triple threat to your business and reputation

What happened? 

Since October 2023, CyberCX Intelligence has observed an increase in “credential stuffing” attacks. This is where a threat actor breaks into a platform – from e-commerce site to corporate network – using valid credentials they’ve stolen from an unrelated data breach. Because many people still reuse passwords across accounts, credential stuffing is often successful. In one high-profile credential stuffing campaign in early 2024, up to 15,000 customers of major Australian retailers reportedly had their loyalty program accounts broken into via credential stuffing, resulting in fraudulent transactions. We have also seen credential stuffing used to steal medical records and to obtain access to organisations’ core systems. 

Why now? 

Nearly every Australian adult has been impacted by a data breach. These breaches fuel a secondary criminal market.

To increase the speed and scale of these attacks, criminals commonly automate scripts to carry out login requests. 

How could this impact me and my organisation? 

The rise of credential stuffing is a triple threat for executive leaders. 

• Executive risk: As the most publicly identifiable members of their organisations, C-Suite are vulnerable to targeted exploitation. A motivated attacker will collect and use all an executive’s historically exposed password combinations across corporate and private emails, social media accounts and loyalty programs. They might also try permeations of previously used passwords. 
• Customer harm and reputational risk: Consumer-facing platforms are particularly vulnerable to high-volume credential stuffing campaigns. To reduce friction for customers, these platforms often have fewer security protections. They also often hold stored ‘loyalty’ credits or credit card details that criminals can use to make fraudulent transactions. Whose fault is it if a customer account falls victim to a credential stuffing attack? Technically, it’s not a “hack” of the platform. But increasingly, customers expect organisations to have basic security measures to help prevent credential stuffing, such as multi-factor authentication (MFA). 
• Enterprise risk: A company’s externally-facing software-as-a-service (SaaS) login portals and remote access are common targets for credential stuffing campaigns. If employees have been personally affected by a data breach, this could also be an enterprise risk. Of note, we often see staff use work email addresses to sign up for services – from mobile plans to streaming services and rideshare accounts. A credential stuffing attack has a much higher chance of success if staff reuse a password already connected with their enterprise account.  

What should I do? 

1. Understand your exposure: Commission a data exposure assessment to find breached credentials related to you, other key personnel and your company domain. Act to mitigate associated risks. 
2. Limit future exposure: Use a password manager for all your accounts – work and personal – and consider providing one to staff. Consider the appropriateness of allowing staff to use work email addresses to sign up to non work-related accounts. 
3. Protect your customers: Reevaluate the balance between low-friction business and security. Ensure your platform has MFA and you (and your payment provider) protect customer details stored on your platform (e.g. via CVC validation). Invest in intelligence to detect campaigns and to notify customers if they attempt to reuse a password that’s been breached. 
4. Harden your enterprise: If MFA and single sign-on isn’t enabled on your externally accessible SaaS and remote access options, investigate this as a priority.  

Security starts in the c-suite. Executives are high-value targets. Well-connected, they’re gateways to their organisation, sensitive information and professional network. High-profile, they’re easy to find. Trusted and influential, their brand is readily exploited. C-Suite Cyber helps business leaders master their cyber risk.

About CyberCX Intelligence

CyberCX Intelligence is a uniquely Australia and New Zealand focused capability. We have the information, access and context to give executives a decision advantage – whether that’s minimising their personal risk or leading their organisation’s risk posture.

Want more? Contact cyberintel@cybercx.com.au to explore how you could partner with cyber intelligence experts who speak your business language and know your sector. You can also subscribe to Cyber Adviser, our bite-sized monthly intelligence newsletter.