Credential Stuffing: Escalating Cybercrime Trend in 2024

After a record-high number of cyber-attacks in 2023, Australians’ private details and login information have been exposed and are now being used in what’s known as credential stuffing.

Credential stuffing is a tactic where hackers utilise stolen login credentials from one organisation’s platform, to gain unauthorised access to multiple user accounts across other organisations.

Security experts are issuing a stern warning on the escalating trend of credential stuffing attacks, amidst a surge of hacks and cyber-attacks only days into 2024—well-known brands such as The Iconic, Guzman Y Gomez, Dan Murphy’s, and more have been targeted with credential stuffing attacks.

Peter Maloney, CEO of leading cyber security provider AUCloud, says that the seemingly straightforward approach poses a significant risk to individuals and organisations across the country, with experts warning Australians need to take notice.

“Many people use the same username and password combinations across multiple online platforms, and it only takes one of these to be breached for login details to be exposed,” Mr Maloney said.

“The dark web and various hacking communities provide a marketplace for stolen login credentials obtained from data breaches; from here, cybercriminals can easily purchase or acquire these stolen credentials and gain access to other accounts using these details.”

“The compromise of a single set of credentials can have a cascading effect, jeopardising the security of numerous accounts and platforms linked to the affected user.”

Monash University Cyber Security Professor Nigel Phair says that while this is the first attack of this scale affecting a mainstream brand that we know of the reality is we just don’t know how often accounts are accessed via stolen information.

“Once personal data, logins, and passwords have been taken in a data breach, that information could be available for cybercriminals to access easily, instantly, and forever,” Professor Phair said.

“There is a heightened risk of these kinds of attacks because of the sheer scale of breaches targeting high-profile companies, affecting millions of Australians. This is a direct consequence of those cyber-attacks—this is what happens with the data taken.”

It’s critically important to keep on top of your password security to avoid being involved in such an attack, but similarly, businesses need to be doing all they can to ensure their customers have a safe secure and confident experience—including multiple layers of data protection.”

So, how can we avoid involvement in credential stuffing attacks?

Recommendations for Australians:

  1. Unique Passwords –Australians are strongly urged to use unique, complex passwords for each account, a practice that minimises the risk associated with credential stuffing.
  2. Two-Factor Authentication (2FA) –Where possible enable 2FA, this provides an additional layer of security, requiring users to verify their identity beyond just a password.
  3. Regular Monitoring –Australians are encouraged to regularly monitor their accounts for any unusual activities and promptly report suspicious incidents.

Recommendations for Businesses:

  1. Multi-Layered Security –Organisations operating in Australia should implement multi-layered security protocols, including advanced authentication measures and monitoring systems.
  2. User Education –Educating users about the dangers of credential stuffing and promoting the use of strong, unique passwords is crucial for bolstering security within the Australian context.
  3. Account Lockout Policies –Implementing account lockout policies helps prevent repeated login attempts, safeguarding against brute force attacks.