The Cost of Credential Stuffing: How Account Takeovers Damage Business Reputation

In recent months, Australian businesses have faced a wave of credential stuffing attacks. These attacks don't technically hack or breach the affected website, instead the attacks target customer accounts, leading
to fraudulent transactions. The impact on business reputation and customer trust cannot be overstated.

What is Credential Stuffing?

Credential stuffing occurs when attackers use login details obtained from a data breach to access accounts on other sites. To achieve this, criminals test out millions of credentials on a target website to identify working combinations. This attack affects users who reuse passwords across multiple services [1].

The Scale of the Problem

Tens of thousands (that we know of) Australian online accounts were accessed since late November 2023. This number grows each day [2]. The attacks affected major retailers and service providers, including:

• The Iconic
• Guzman y Gomez
• Dan Murphy's
• Event Cinemas
• Stan

The Impact

While reusing passwords between sites has long been considered a no no, users persist in doing it. Blaming the customer, like 23andme did in their recent response to an attack, is not acceptable. Indeed, over 70% of American's believe that websites have a responsibility to prevent account takeovers via stuffing attacks. Not doing so can negatively impact a business in several ways.

Financial Impact

The impact can be both to the affected business and the affected client. Fraudsters made significant purchases using compromised accounts. One scammer claimed to have spent over $800 on high-end alcohol at Dan Murphy's [2]. Others bought iPhones and clothing. Either the customer will be out of pocket, or the business when the customer issues a chargeback on the purchase.

Reputation Damage

The attacks force businesses to address customer concerns and implement stronger security measures. The Iconic pledged to refund affected customers [1]. Dan Murphy's confirmed that a "small number of user accounts were subject to fraudulent transactions" [3].

Customer Trust

These incidents erode customer trust. Users expect businesses to protect their personal and financial information. When breaches occur, customers question the security practices of the affected companies.

Business Response

Companies responded by:

1. Locking compromised accounts
2. Issuing refunds
3. Encouraging customers to change passwords
4. Implementing stronger security measures

Dan Murphy's advised customers to "practise good password hygiene, using a strong password and changing it periodically" [3].

Prevention Strategies

To protect against credential stuffing, businesses should:

1. Implement multi-factor authentication
2. Educate customers about password security
3. Monitor login behaviour on their website
4. Implement, and regularly update, security measures, including bot management and advanced rate limiting.

Credential stuffing attacks pose a significant threat to business reputation and customer trust. Companies must prioritise cybersecurity to protect their customers and their brand.

Sources:

[^1] ABC News: "The Iconic was hit by criminals taking money by 'credential stuffing'. How can you stay safe?" [^2] Cyber Daily: "Guzman y Gomez, Dan Murphy's customers affected in credential stuffing campaign" [^3] The Sydney Morning Herald: "Thousands of Australians hacked in 'credential stuffing' credit card scam"