IntermediateAuthentication

Implement credential stuffing detection on all login endpoints

Credential stuffing — using leaked username-password pairs from other breaches to log into your service — is automated, cheap, and devastatingly effective when users reuse passwords. 23andMe's 2023 breach, which exposed genetic ancestry data, was entirely credential stuffing: no vulnerability was exploited. Defences include: rate limiting login attempts per IP and per account, CAPTCHA after N failures, monitoring for login attempts with credentials appearing in breach databases (Have I Been Pwned Enterprise API), and blocking known Tor and VPN exit node IPs for login requests.

Tags

credential stuffingrate limitingHIBPlogin securitybreach monitoring

More in Authentication

All guides
beginnerfeatured

Use hardware security keys for privileged and external-facing accounts

FIDO2/WebAuthn hardware security keys are phishing-proof — they cryptographically bind to the domain you registered them on, so a cloned login page cannot capture the credential. SMS-based two-factor codes can be intercepted via SIM-swapping or forwarded by a victim who receives a fraudulent phone call. The Twilio breach demonstrated exactly this: employees entered SMS codes into a phishing page. Hardware keys like YubiKey make that attack impossible. Deploy them first for all administrators, executives, and anyone with access to production systems or financial controls.

See: Twilio SMS PhishingAuthentication
intermediate

Migrate from SMS and TOTP to phishing-resistant MFA

SMS two-factor authentication is vulnerable to SIM-swapping, SS7 interception, and real-time phishing relay. TOTP (authenticator app) codes are better than SMS but can still be captured on a convincing phishing page. Phishing-resistant MFA — FIDO2 hardware keys or passkeys — cannot be forwarded to an attacker's server because the credential is cryptographically bound to the exact domain. When Cloudflare was targeted by the same 0ktapus campaign that successfully breached Twilio, Cloudflare survived because their employees used hardware keys. Prioritise migration for your highest-value accounts first.

See: Twilio SMS PhishingAuthentication
beginner

Enforce a 90-day audit of all service accounts and shared credentials

Dormant accounts and over-privileged service credentials are a persistent attack surface. The Colonial Pipeline VPN credential that enabled the ransomware attack belonged to an account that was no longer actively used but had never been deactivated. Run a quarterly audit of all service accounts, API keys, and shared credentials. Deactivate anything unused for 30 days. Remove permissions that are broader than the account's stated purpose. Document every service account's owner, purpose, and expiry date.

See: Colonial PipelineAuthentication