HomeInsightsInternational data protection and privacy authorities provide guidance against the threat of credential stuffing attacks

Article by

The latest report from international data protection and privacy authorities has identified credential stuffing as a significant and growing cyber threat to personal information.

Credential stuffing is a cyber-attack method that exploits people’s tendency to use the same username and password combination across multiple online accounts. These attacks are automated and often in large scale, using stolen and legitimate credentials obtained from unrelated data breaches to access people’s accounts across websites.

The report, published by a sub-working group of the Global Privacy Assembly’s International Enforcement Working Group (IEWG), including the ICO and data protection authorities from Canada, Gibraltar, Jersey, Switzerland, and Turkey, highlights the growing trend of credential stuffing attacks and provides guidance for organisations and the public on how to prevent, detect and mitigate the risk of such attacks.

Among the security measures listed in the guidance, the Global Privacy Assembly’s report notes that multi-factor authentication is considered to be the most effective measure in securing online accounts against credential stuffing. To read the ICO’s news release in full and for links to the new guidance, click here.