How to Protect Your Customers from “Credential-Stuffing” Attacks

If your customers use the same username and password for multiple online accounts, they could be at greater risk if your organization experiences a data breach. You can’t control what passwords your customers use for all their accounts, but you can mitigate the risk of “credential-stuffing” attacks.

According to a release from the Office of the Privacy Commissioner of Canada (OPC), credential stuffing attacks exploit peoples’ tendency to use the same log-in credentials for various online accounts. If your customers continuously reuse the same username and password online, just one data breach could lead to many of their accounts being compromised. Research from Akami has found that hundreds of millions of credential-stuffing attacks occur on a daily basis.

The OPC and other global data protection authorities recently released guidelines for limiting the risk of credential-stuffing attacks. Here are a few of the steps you can take to protect your customers.

Have a Guest Checkout for Online Purchases

One way to prevent credential-stuffing attacks is to not require your customers to create credentials in the first place. By offering a guest checkout option on your website, customers can purchase your products or services without creating a username and password that could end up being compromised.

Have a Strong Password Policy

If your customers create online accounts with you, you should never store their credentials in plain text format. Passwords should be stored securely, ideally using hashing rather than encryption. Hashing is more secure than encryption, which is easy to crack if your decryption key isn’t secure.

You should have a strong password policy that requires customers to use a minimum number of characters, including special characters. You could consider a “deny list” that prevents users from choosing easy-to-guess passwords. You may also inform your customers of the risks of reusing existing passwords and/or recommend that your customers use a password vault to secure their passwords.

Consider Multi-Factor Authentication

Multi-factor authentication is an effective way of guarding against credential stuffing. Requiring additional factors – such as a temporary password sent to your customer’s cellphone – to gain entry makes it much harder for malicious actors to access your customers’ accounts.

Don’t Use Email Addresses for Usernames

Customers often use the same email address for multiple usernames, making it easier for bad actors to access multiple accounts. Providing users with automatically generated usernames or requiring them to create a custom username can help prevent credential-stuffing attacks.

Your Customers Could Be at Risk of Significant Harm

As discussed in a previous blog, most privacy breaches pose a real risk of significant harm – and the risks could be even higher when your customers use the same log-in credentials for multiple accounts. With breaches becoming costlier than ever, now is the time to ensure your privacy policies are up to snuff.

This article provides a brief overview of some of the steps you can take to guard against credential-stuffing attacks, but it is by no means a comprehensive list of the precautions you may implement to protect your customers’ data. The lawyers in our Privacy, Data Protection & Cybersecurity team have wide-ranging experience helping clients develop strategies to prevent and respond to breaches. Download our cybersecurity checklist to assess your organization’s current cybersecurity strategy.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.