Understanding and preventing credential stuffing attacks

Stolen Credentials

© Lead Image © peshkov, 123RF.com

© Lead Image © peshkov, 123RF.com

Article from Issue 281/2024

A credential stuffing cyberattack uses username and password credentials stolen in a data breach to gain access to your accounts. We explain how it works and how to prevent yourself from becoming a victim.

The good citizens of the Internet are frequently reminded that their passwords should contain a sufficiently complex combination of alphanumeric and special characters and, of course, meet or exceed a minimum length. Confusingly, the precise criteria for both is entirely dependent on which online service you use.

While security is everybody's responsibility, what should you be most concerned about if an online service lets you down and leaks your credentials, either through a malicious attack or simply through incompetence? The answer is twofold.

The first part of the answer depends on whether the online vendor informs you of the data breach straight away. I had my credentials stolen about a decade ago from a website that I had used once (around 2010, I think). The vendor reported the leak to a government department that did not make the breach public for a number of years afterwards, for reasons that I still don't find convincing. When I found out about the breach in 2014, I was horrified and immediately changed my password, eventually getting the vendor to completely close the account. Thankfully, only my name, age, postal address, email address, and order history were exposed, but potentially that's quite enough for identity theft.


Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Attacking SSH

    Sometimes the only way to break into an SSH server is through brute force – and yes, there are tools for that.

  • On the DVD: BackTrack 5 R

    This issue’s DVD comes with the BackTrack 5 R1 [1][2][3] pen test distribution. BackTrack provides a great collection of pen testing and security auditing tools. You can boot into BackTrack Live from the DVD or install BackTrack permanently on your hard disk.

  • ShellHub

    ShellHub offers an innovative approach to remote access with minimal reconfiguration of a firewall.

  • Password Tools

    Create secure passwords with the help of a password generator and check for quality at the same time.

  • Defending WordPress with WPScan

    The number of potential WordPress vulnerabilities is stunning. WPScan scans your site to find the problems that could lead to compromise.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More