Latest report from international data protection and privacy authorities has identified credential stuffing as a significant and growing cyber threat to personal information.
Credential stuffing is a cyber-attack method that exploits people’s tendency to use the same username and password combination across multiple online accounts. These attacks are automated and often in large scale, using stolen and legitimate credentials obtained from unrelated data breaches to access people’s accounts across websites.
The report, published by a sub-working group of the Global Privacy Assembly’s International Enforcement Working Group (IEWG), including the ICO and data protection authorities from Canada, Gibraltar, Jersey, Switzerland, and Turkey, highlights the growing trend of credential stuffing attacks and provides guidance for organisations and the public on how to prevent, detect and mitigate the risk of such attacks.
Among the security measures listed in the guidance, the Global Privacy Assembly’s report notes that multi-factor authentication is considered to be the most effective measure in securing online accounts against credential stuffing.
- International Enforcement Cooperation Working Group: Credential Stuffing Awareness Raising for individuals
- International Enforcement Cooperation Working Group: Credential Stuffing Guidelines for commercial organisations
With more than 130 data protection and privacy authorities from across the globe, the Global Privacy Assembly is one of the most important global forums for data protection and privacy authorities.