What is credential stuffing?
Credential stuffing is a type of cyberattack in which a cybercriminal uses stolen usernames and passwords from one organization (obtained in a breach or purchased off of the dark web) to access user accounts at another organization. Credential stuffing attacks are one of the most common causes of data breaches because many users reuse the same password on multiple (and sometimes all) accounts.
How and why does it happen?
To execute a credential stuffing attack, cybercriminals add a list of stolen or common username and password pairs to a botnet that automates the process of trying those credentials on multiple sites at once. Large-scale botnet attacks can overwhelm a business' IT infrastructure. Once cybercriminals find a site where a set of credentials works, they’ll have access to a user's account and personal data to do with as they please.
What does Punchh do to protect against these attacks?
To protect against credential stuffing attacks, Punchh works with Cloudfare, a company focused in web infrastructure and website security. Login activity is monitored closely at the API level to detect potential attacks. If an attack is detected, the API endpoints responsible for signups and sign-ins are blocked in order to mitigate potential data theft and infrastructure downtime. These blocks are specific to user agents from where the attack is originating. When a block is in place, guests will not be able to sign up and/or log into their loyalty account. However, guests that are already logged into the app will be able to use the app normally. Blocks are removed after monitoring teams confirm the attack(s) has stopped. When blocks are removed, normal functionality is restored for sign up and/or log ins.
In an effort to supply information as quickly as possible, this article has been published prior to a formal technical review, and is subject to factual, grammatical, and various structural errors. Data may be incomplete, misordered, or incorrect.
This additional disclaimer will be removed upon formal review of this article. The standard Punchh Inc. KB Disclaimer still applies, and can be found at: https://support.punchh.com/hc/en-us/articles/360040100273-Punchh-Inc-Knowledge-Base-Disclaimer
If further assistance is required, submit a ticket to Punchh Support. (For help submitting a ticket, click here)