Was It a Breach or Credential Stuffing?

Breach or Credential Stuffing

If you are a business leader or security officer, there are few worse things to learn than that your company was the victim of a data breach.

Breaches are expensive and time consuming. They usually spark a mad dash to shore up cybersecurity defenses, implement new security and access policies, and lock down sensitive data. And then there is the damage to the company’s brand and the trust of their customers. Nearly 50% of consumers in a CA Technologies survey said they stopped using a company’s services because of a data breach. The average cost of a data breach in 2020 was $3.86m, according to a report from IBM and the Ponemon Institute.

Suffice to say, no CEO wants to see the company’s name in a headline about a data breach. The loss of business and reputation damage can take years to repair.

But what if it wasn’t actually a breach? According to headlines, Zoom and Nintendo both suffered major breaches in 2020. In reality, they were never breached. Their customers were the victims of credential stuffing attacks.

That might sound like I’m splitting hairs, but there is a big difference between a breach and a credential stuffing attack.

A breach exploits the company’s failure to protect its data. A credential stuffing attack is the result of consumers’ failure to protect themselves.

Going a little deeper, credential stuffing is a cyber-attack in which credentials obtained from a previous data breach on one service are used to attempt to log in to another unrelated service. For example, an attacker may take a list of usernames and passwords obtained from a breach of a major social network and use the same login credentials to try and log in to the site of a retail brand. The attacker is counting on two things: first, that some of those account owners have accounts with both the social network and the retailer, and second, that some of them use the same email addresses and passwords across accounts.

In contrast, a data breach is the release of information into an unsecured environment. Breaches can happen accidentally through carelessness or negligence by the data owner or as the result of a deliberate attack. Those attacks come in many forms, such as phishing, social engineering and exploiting weak or reused passwords.

As soon as a company’s data is breached, hackers go to work dissecting it and monetizing it. Then they package it up and resell it on various forums and marketplaces on the dark web, putting it into the hands of more hackers who use it to gain access to other accounts.

The timing for Zoom couldn’t have been worse. The video conferencing business was booming as millions of people around the world shifted to working from home during the COVID-19 pandemic. Then, at a time when the world was already on edge, we had to learn about “Zoombombing,” where criminals and pranksters with stolen account credentials interrupted otherwise legitimate meetings and school lessons, often with nasty comments.

Both breaches and credential stuffing attacks will continue to happen, and it’s important for victims – both the companies and their end users – to recognize the difference so they can respond appropriately. Companies have a shared responsibility to protect their data at all costs because when one of them is breached, it puts everyone else at risk down the line. The data in the Zoom, Nintendo, The North Face, Spotify, and other credential stuffing attacks of 2020 came from somewhere, and those brands all suffered for it.

For their part, consumers have a role to play to protect themselves too: Stop reusing passwords across multiple accounts. Millions of people do this, and it is a cyber-criminal’s dream come true. All a bad actor has to do is get your credentials from one account with weak security to have access to everything else. It’s not really practical or possible to expect everyone to set different passwords for the dozens or hundreds of accounts they have, so my biggest advice is to do what the security pros do and use a password manager that stores your encrypted passwords – and set one really, really strong password for that service.

As long as there are criminals willing to pay for stolen data and consumers failing to protect themselves, there will be people working to access data that isn’t theirs. Business leaders and security officers owe it to themselves to keep that data locked up because when one of them suffers a breach, they aren’t the only victim.


This article was originally written for Infosecurity Magazine.

Stop exposures from becoming account breaches.