Tech Thursday: Data Breaches and Credential Stuffing

Tech Thursday: Data Breaches and Credential Stuffing

Marriott. Kay Jewelers. The United States Postal Service. These are a few of the companies who have had customer data stolen from them by hackers just in the last month. But even if your company has never put you up at a Marriott, bought a ring from Kay, or sent a package through USPS, your company’s data might still be at risk because of these leaks. Why? A hacking technique called Credential Stuffing.

Here’s how it works:

John User creates an account at using his personal email address He types in a password -- 8 characters, including a number, letter, and symbol. Hey, that sounds a lot like my work password. I’ll just use the same one. Easier to remember.

But then come the hackers. They get ahold of Marriott’s user database, with email addresses and passwords for everyone who has an account.

Of course, once Marriott realizes what has happened, they will make everyone reset their passwords. But, that doesn’t stop what happens next: Attackers (whether the original culprits of the data leaks, or others who obtained the passwords from various sources) begin to try the usernames, passwords, and email addresses on all sorts of online services. This could include your web-facing on-prem services, like OWA or your VPN. Or it could be a cloud service you use, like Office 365.

Either way, someone somewhere tries the combination$$w0rd on one of the services that you host. They’re in. From that point on, you may be looking at a data breach of your very own.

Preventing Credential Stuffing with Multi-Factor Authentication

Of course, you ask all users to use a unique password for their work resources. But invariably, some of them will end up using the same password for insecure services that end up getting hacked. So what can be done?

Multi-factor authentication (MFA) mitigates credential stuffing attacks. Also known as two-factor authentication, it uses an additional check on the user’s identity besides just a password. It is often described as something you have plus something you know. The “something you know” would be the standard password. The “something you have” could be any number of things. Historically, this would have been something complicated and expensive to implement, like a smart card. But nowadays, you can use something as ubiquitous as a smartphone for the second factor.

To implement two-factor authentication using a cell phone, there are generally two methods that you can choose from: SMS and Authenticator app.

With SMS MFA, a one-time code is sent as a text message to the user, which must be entered in order to continue the login. This is a convenient option, but in some recent targeted attacks, people have had their cell phone number stolen so that thieves can gain access to their accounts. So, while it’s better than nothing, for higher-security applications, it’s not the best choice.

An authenticator app uses an algorithm to generate a time-based code which then must be entered to complete the login. Because the code is generated only in the app, and not sent over the air, the code cannot be stolen unless the phone is physically stolen (and the passcode broken). So the authenticator app approach is almost as convenient as the SMS method, but much more secure.

Enabling multi-factor authentication requires careful planning as well as user training. Our next article will show you how to enable MFA on Office 365.


E-N Computers is a full-service IT service provider helping businesses in Virginia, Maryland, and Washington, D.C. to keep their data secure. If you need help with multi-factor authentication, or any other security technology, please contact us today.