A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 22 July 2022
Data protection authorities from Canada, Gibraltar, Jersey, Switzerland, Turkey and the UK, have worked together under the umbrella of the Global Privacy Assembly’s International Enforcement Cooperation Working Group (the “IEWG”) to develop guidance outlining the increasing threat of credential stuffing attacks. The guidance aims to assist individuals and organisations to identify, prevent and protect against such attacks.
What is Credential Stuffing?
A credential stuffing attack is a method of cyber-attack that threat actors deploy to exploit an individual’s propensity to use the same credentials (username/email address and password) across multiple online accounts. These attacks are generally automated and occur on a large scale as threat actors will use the stolen credentials of users to unlawfully access their various accounts. The credentials are usually obtained in connection with leaked data breaches and are generally found on the threat actors’ leak site on the dark web.
Credential stuffing attacks can result in significant financial loss as threat actors can execute purchases using stolen account details or exploit personal data to transfer funds to their own accounts. These attacks can also cause harm if the threat actor either: (i) distributes the stolen data on public shame sites; (ii) produces disinformation from the users’ account; or (iii) makes false statements about an individual or organisation, all whilst using the credentials of the compromised account. As a result, reputational damage can occur to the organisation or individual, although the primary motive in carrying out a credential stuffing attack is financial gain.
The newly released guidance sets out recommendations to mitigate the risks of credential stuffing attacks:
Stuffing Uber and Dunkin Donuts…
Uber fell victim to a credential stuffing attack and was subsequently fined £385,000 by the Information Commissioners Office in the UK. Uber had “avoidable data security flaws” which led to threat actors exposing the personal details of 2.7m UK customers and an estimated 82,000 drivers. The leaked data included customers names, email addresses, and phone numbers as well as payment and journey details.
Across the Atlantic, Dunkin Donuts (Dunkin Brands Inc.) was fined $650,000 USD for failing to inform customers that their data had been breached in credential stuffing attacks. The compromised data originated from Dunkin value-card holders with the threat actors obtaining the card information and making fraudulent purchases. Over 20,000 customer accounts were compromised with tens of thousands of dollars stolen. The Attorney General of New York held that Dunkin failed to take action and they were forced to notify their customers, reset customers’ passwords, provide refunds and implement appropriate measures to protect against future credential stuffing attacks.
It is commonplace that individuals and organisations will re-use login details across multiple websites. As a result, credential stuffing attacks continue to pose a serious risk to organisations. When a data breach occurs and valid credentials are stolen, the threat actor will be able to apply those same credentials on thousands of websites in order to gain access to users’ data. To avoid credential stuffing attacks, the IEWG’s guidance sets out practical recommendations for organisations to adopt to protect themselves and mitigate against such attacks.
For further information on credential stuffing, please do get in touch with DAC Beachcroft’s Cyber and Data Risk team, who remain available to assist you with your cyber and data protection related matters.
A link to the IEWG’s guidance can be found here.
London - Walbrook
+44 (0)20 7894 6098
+44 (0)20 7894 6622
Jade Kowalski, Charlotte Halford, Christopher Air, Sophie Devlin, Eleanor Ludlam, Rebecca Morgan
Patrick Hill, Sonali Malhotra
Hans Allnutt, Pavan Trivedi
Sophie Devlin, Shanaka Wijetunge
Eleanor Ludlam, Astrid Hardy
Christopher Air, Alexander Dimitrov
Patrick Hill, Hans Allnutt, Eleanor Ludlam
Aidan Healy, Charlotte Burke
Eleanor Ludlam, Alexander Dimitrov
Eleanor Ludlam, Sonali Malhotra
Hans Allnutt, Patrick Hill, Eleanor Ludlam
Hans Allnutt, Amanda Fosu
Jade Kowalski, Charlotte Halford, Christopher Air, Eleanor Ludlam, Hans Allnutt, Rebecca Morgan, Christopher Little, Astrid Hardy, Zoë Carpenter
Patrick Hill, Eleanor Ludlam, Hans Allnutt
Sarah Crowther, Ornela Markaj, Erin Burns
Julian Miller, Tom Evans