Executive Summary
Virtually every website and app uses passwords as a means of authenticating its users. Users — forced to contend with an ever-expanding number of online accounts they must manage — tend to reuse the same passwords across multiple online services.
Unfortunately, the widespread use and reuse of passwords has made them attractive targets to cybercriminals, who know that passwords stolen from one company may provide the keys to a host of accounts at another.
According to a recent study, there are more than 15 billion stolen credentials circulating on the Internet. This enormous cache of credentials has fueled a dramatic rise in credential stuffing attacks. The operator of one large content delivery network reported that it witnessed more than 193 billion such attacks in 2020.
The purpose of this document is to share some of the lessons learned, including concrete guidance to businesses on steps they can, and should, take to better protect against credential stuffing attacks.
