The first part of this report highlighted an often underestimated reality: credential stuffing does not rely on spectacular technical flaws, but on the reutilization of valid credentials obtained from leaks, sometimes dating back years. This characteristic makes it a persistent threat that is difficult to detect and perfectly compatible with otherwise well-secured infrastructures. Thus the question is no longer about understanding the phenomenon, but about identifying truly appropriate and efficient responses. However, in this area, many organizations try to set-up measures that appear reassuring, but with a limited effectiveness when facing attacks designed to resemble legitimate use.
How can we fight against such a phenomenon?
The most common response to credential stuffing is to strengthen password complexity requirements. While necessary from an overall security perspective, this measure only addresses a marginal part of the problem. As we have seen, credential stuffing primarily exploits credentials that have already been compromised elsewhere. In this context, the theoretical complexity of the password is less important than its reuse. A long and complex password, used on multiple services, remains exploitable once it has been leaked.
A policy focused exclusively on the formal robustness of passwords has several limitations
The issue of credential stuffing therefore requires a change in perspective: it is no longer just about protecting a secret. You have to consider that this secret may already have been exposed elsewhere.
Multi-factor authentication is one of the most effective ways to reduce the impact of credential stuffing. If the system requires a second factor, it limits significantly the direct exploitation of a compromised password. However, its effectiveness depends heavily on how it is implemented. Several factors determine the actual effectiveness of multi-factor authentication
A second factor based on codes sent by SMS, for example, remains vulnerable to fraud or misuse. Similarly, optional multi-factor authentication, or multi-factor authentication limited to certain categories of users, still leaves a significant attack surface. And most importantly, multi-factor authentication does not eliminate credential stuffing, it only mitigates its consequences.
Traditional defense mechanisms are often designed to detect abnormal volumes of failed logins. However, in credential stuffing, attackers adjust their attacks to avoid these thresholds. A more effective approach is therefore to shift the focus to authentication behavior rather than just the number of failed attempts.
Several signals, that are weak when taken in isolation, can reveal an ongoing campaign
Taken separately, each of these indicators may seem unsignificant; when added together and analyzed collectively over time, however, they can identify patterns that characteristic of credential stuffing. This approach requires a more sophisticated ability to correlate and analyze behavior (and therefore greater technical and financial resources) than simple mechanisms that block repeated failed attempts.
An organization cannot control leaks that occur elsewhere. However, it can incorporate this reality into its own defense strategy. Continuous monitoring of compromised databases that are publicly available or via specialized partners makes it possible to identify potential exposures ahead of attacks. When an address associated with an internal account appears in a leak, the risk of credential stuffing automatically increases.
Not all accounts are created equal. Privileged accounts are particularly attractive targets in credential stuffing campaigns, especially when they use addresses and passwords that are also used for personal purposes. Credential stuffing exploits the cross-functional nature of digital usage. The more an account is exposed to different environments, the more likely it is to be included in a leak. It is therefore necessary to regularly audit these accounts and only grant access to them if they are essential and, preferably, for a limited period of time.
Security policies that ignore actual user practices allow structural vulnerabilities to persist. Reuse of credentials, informal account sharing, proliferation of unlisted tools: these practices expand the attack surface far beyond the theoretical perimeter. The solution therefore lies in gaining a better understanding of actual digital usage, rather than hoping that users will be more disciplined than they really are. Credential stuffing reminds us that security must also be based on a detailed understanding of usage patterns. Check back soon on the blog for a new topic. If you have a movie, TV series, software, or e-book to protect, don’t hesitate to call on our services by contacting one of our account managers. PDN has been a pioneer in cybersecurity and anti-piracy for over ten years, and we are sure to have a solution to help you. Happy reading, and see you soon!
Share this article
