IPOsgoode Osgoode Hall Law School

International Data Protection And Privacy Regulators Release Guidance On Credential Stuffing Attacks

Posted on 8 August 2022

International Data Protection And Privacy Regulators Release Guidance On Credential Stuffing Attacks

Posted on 8 August 2022

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on E-TIPS™ For Deeth Williams Wall LLP on July 13, 2022.

On June 27, 2022, the Office of the Privacy Commissioner of Canada, along with fellow members of the Global Privacy Assembly’s International Enforcement Cooperation Working Group (IEWG), released guidance documents to help individuals and organizations protect against credential stuffing attacks.

Credential stuffing attacks exploit the tendency of users to reuse their usernames and passwords across multiple platforms. Threat actors use username and password information that was leaked in past data breaches to access other online accounts belonging to the users. These attacks may result in financial or reputational harm for individuals, and cyberbreaches for organizations despite a robust cyber security infrastructure. In its guidance, the IEWG states that hundreds of millions of credential stuffing attacks occur each day and credential stuffing has become a global threat to personal data.

To assist individuals in defending against credential stuffing attacks, the IEWG advises, among other things, that users should:

  • not reuse their passwords across multiple accounts;
  • consider implementing multi-factor authentication (MFA) where possible;
  • immediately change the passwords for any compromised accounts and for any other accounts protected by the same or similar passwords; and
  • routinely check account information for unusual activity or unauthorized transactions.

For organizations, the IEWG discusses (i) implementing password systems and policies that fortify the creation and management process for account passwords; (ii) making MFA an essential security measure in one’s organization; and (iii) using alternatives to traditional accounts setups, such as guest accounts, single sign-on systems, and secondary passwords.

Although these guidelines may not represent legal obligations across all IEWG member jurisdictions, the IEWG intends to raise awareness of the threat of credential stuffing and assist the general public, along with private organizations, in fortifying their personal information practices.