Freely subscribe to our NEWSLETTER

Matias Woloski, CTO and Co-founder, Auth0, has made the following comments on the recent rise in credential stuffing attacks, and what organisations can do to mitigate the risk:

“At Auth0, we’re in a unique position as an aggregator of identity and login data, to see massive trends across our customer base. Today, roughly 67% of our authentication traffic is deemed suspicious, meaning, it looks like application fraud. The use of stolen credentials is one of the most common methods used in observed data breaches.

“Credential stuffing is when attackers take credentials that have been leaked in one data breach and try them en masse against other websites to find combinations that are reused, so they can take over user accounts. Attackers do this in an automated fashion, so that they can try thousands of credentials over time. It’s really a numbers game. If 0.01% of a massive list of credentials are reused on a second website, you can still take over a significant number of accounts.

“Most of the problems that enable credential stuffing attacks have been around for a long time. What’s really going to change is how we address these attacks, because they are going to become more imperative. We need to take mitigation techniques like MFA that introduce more friction and make them smarter. In an ideal world, a customer only encounters more friction occasionally when it’s more necessary. Instead of triggering MFA every time a user logs in, trigger it only when it makes sense. If you’re a UK company and most of your user base is in the UK or Europe, but you see huge spikes in traffic from Vietnam or Thailand, ask for additional verification.”