According to a 2019 survey by Google, a staggering 65% of participants report using the same password across multiple accounts. And all too often, there is an overlap between personal and work-related account passwords. With the rise of credential stuffing, adversaries can take a set of username/password combinations obtained by attacking one target and use them to compromise employee or customer accounts with other organizations. Easier yet, threat actors can even carry out credential stuffing using the low-hanging fruit of publicly disclosed dumps available on the open web.
Such activity can pose a business risk on several fronts—from the financial and reputational costs of fraud against customer accounts to the potentially massive impact of adversaries gaining privileged network access though ATO against an employee account.