Reed Smith Client Alerts

Credential stuffing attacks are on the rise, leaving many organisations looking for a steer on the steps expected of them from data protection regulators. To assist, the new International Enforcement Cooperation Working Group (IEWG) (the permanent working group of the Global Privacy Assembly) published Credential Stuffing Guidelines in late June 2022. In this article, we look at the key issues and recommendations contained in the Guidelines.

作者: Elle Todd Alexander Dainton

How does credential stuffing work?

A credential stuffing attack involves fraudulently obtaining valid account credentials (e.g., pairs of usernames/email addresses and passwords) obtained from compromised accounts on third-party services and “stuffing” these into the account log-in sections of online sites until correct matches are found. The attacks are relatively straightforward to launch via automated software (e.g., account checker apps), which can attempt to access large numbers of accounts at great speed.

Why are credential stuffing attacks carried out?

The primary motivation for this type of cyberattack is financial gain; however, attackers may also seek to cause more intangible harm to the account holder. Such harm may include leaking sensitive personal information, causing reputational damage or infiltrating business accounts.

Such attacks exploit both vulnerabilities in human nature around security (for example the fact that individuals still regularly use the same username and password for different accounts) and technical failings, which can result in security incidents leaking credentials for purchase or general use by attackers.