Skip to main content

Americans hit by 87 million credential-stuffing attacks daily: How to stop it

credential stuffing
(Image credit: Shutterstock)

Hackers are conducting "credential-stuffing" attacks on Americans over 87 million times every day, according to a blog post by a U.S-based VPN provider.

Atlas VPN distilled data from publicly available studies summarizing research by security firms Akamai and F5. The two security firms found that credential-stuffing attacks are quickly growing in the U.S., with 3.6 million taking place every hour. 

Atlas VPN says that credential stuffing is the rise due to the high number of data breaches in the past few years.

Credential stuffing -- which represents 44% of all financial-services attacks -- are when cybercriminals systematically try to gain access to personal or company accounts by using credentials stolen in past data breaches involving other accounts. 

Credential stuffing works for one simple reason: because people reuse passwords. If you use strong, unique passwords for each and every online account, and keep track of them with one of the best password managers or other method, then credential stuffing will not be a problem for you.

Victims of successful credential-stuffing attacks can not only experience financial loss, but if the hacker gets hold of personal information, they can also fall victim to identity theft

Between December 1, 2017 and November 30, 2018, Akamai observed nearly 64 billion attempted credential-stuffing attacks in the U.S. Presumably, most of them were not successful, but many were.

Countries such as India, China, Canada, the U.K., Brazil, the United Arab Emirates, Australia, Italy and Switzerland accounted for only 16.9 billion credit-stuffing attacks combined in that period, according to the Akamai report.

That's just 26.4% of the total number in the U.S., a discrepancy that Atlas VPN attributed to a higher number of leaked records in the U.S.

  • Read more: Americans, keep your data safe with the best US VPN

Two-factor authentication could be the answer

Rachel Welch, COO of Atlas VPN, said: “Individuals that wish to protect themselves from credential-stuffing attacks should set up two-factor authentication [2FA] whenever possible."

“When hackers discuss credential stuffing attacks on the dark web, they often complain that two-factor authentication is the biggest roadblock to a successful cyber-attack.“

That's true, and we recommend turning on 2FA whenever possible as it helps protect your accounts from several different kinds of attacks. But not reusing passwords is even simpler, and will stop credential stuffing dead in its tracks.

Atlas VPN also looked at a report by security firm Recorded Future and an article on the Help Net Security website. 

Those sources included findings that online criminals often need automated credential checkers (costing $150) and network proxies ($250 per week) to help carry out these attacks, and that cyber criminals are selling hacked eBay, Amazon and PayPal accounts on the dark web for as little as $3.50, $2 and $1 respectively.

  • Read more: Stay protected for less with the best cheap VPN