Why it matters.
Credential stuffing involves using previously stolen passwords and logins, often from other sites, to gain access to employee accounts or company systems. Often users, unaware of the risks, use the same passwords across multiple sites, making it easy for attackers to break through security and cause major data breaches. Working with personal data requires extreme caution, and credential stuffing can expose your company to non-compliance with the RODO.
What are the risks?
- Unauthorised access to data
Attackers who use credential stuffing can gain access to accounts where personal, financial and also confidential company information is stored. - Loss of control of systems
If criminals get into a company's internal systems, they can steal data, make changes to systems or harm company operations through sabotage. - Risk of RODO breaches
Disclosure of personal data of customers or employees resulting from such an attack can expose the company to severe administrative fines and reputational damage.
Real-life example
One company suffered a major data breach after cyber criminals used credential stuffing, using the login details of an employee who used the same password for private and company accounts. The hackers gained access to the CRM system where customer data was stored, including personal details and order details. The consequence was that the breach had to be reported to the supervisory authority, and all customers whose data may have been stolen had to be informed. The company suffered significant reputational and financial damage.
What can you do?
- Check if your data has been exposed to leaks
Use tools such as Have I Been Pwned? to see if your login details have been stolen in the past. If so, immediately change your password to a unique and stronger one. - Use unique passwords
Always ensure that your passwords are unique and different between services. Use a password manager to manage different logins more easily. - Activate two-factor authentication (2FA)
Requiring an additional login step, such as an SMS code or authorisation application, makes it significantly more difficult for attackers to take over your account. - Phishing awareness
Beware of emails and messages that may try to phish
your login details. Always check the source of the message and avoid clicking on suspicious links.
Remember
Credential stuffing is an increasingly common method of attack. Protecting your passwords and being aware of cyber threats are key elements in preventing such breaches. Keeping your data secure is not only a legal obligation, but also a responsibility to colleagues and customers.