Image credit: OpturaDesign via Adobe Stock
Sumit Agarwal takes credit for coining the term "credential stuffing." He served as deputy assistant secretary of defense under President Obama and, in 2011, while working at the Pentagon, he began to notice a pattern of brute-force attack on public-facing military websites, where threat actors were using credentials, like usernames and passwords, stolen from one site and to gain access to other sites.
Today, Agarwal is co-founder and CTO of Shape Security, and credential stuffing has gone mainstream, making life miserable for security managers in many types of organizations.
"Credential stuffing attacks are a massive problem today, especially with the extreme shift to online-only services due to COVID-19," says Agarwal. "Something becomes spontaneously popular - we saw this with Disney+ as soon as it came out - and is overwhelmed with targeted credential stuffing attacks. Any time a service gets any substantial amount of traffic, they see surges in credential stuffing. We’re going to see these attacks increase for online grocers, delivery services, and telehealth providers."
Simply put, credential stuffing takes place when cybercriminals obtain stolen credentials through some means – usually on the dark web – and then use botnets or other automation tools to try and use these stolen usernames and passwords to gain fraudulent access to multiple, other user accounts.
"Credential stuffing is a type of cyberattack where the hacker attempts to sign into a user’s account using usernames and passwords that have been leaked during a data breach," says Charlotte Townsley, ..
Support the originator by clicking the read the rest link below.
