security
Kristian Willmott Headshot
Kristian Willmott Head of Marketing

The butterfly effect: Credential Stuffing

The theoretical concept of the ‘butterfly effect’ is well known, it is the premise that small events can
have non-linear impacts on a complexed system. History is littered with examples of seemingly small
and inconsequential events, which cumulatively have the power to forge empires, inspire leaders and
topple governments. For instance, had the Scottish people not invested in the Daren scheme (to the
tune of about half of the nation available capital), to establish a trade route connecting the Pacific and
Atlantic in Panama, it is worth wondering if the act of union would ever have been implemented?
Cumulatively, small events such as poor planning, disease, hostile powers, mosquito-infested beaches
and high financial risk all resulted in the scheme’s failure and ultimately bankrupted Scotland. This
one disastrous expedition would end hundreds of years of fighting between England and Scotland and
bring the two nations together in a union that would help shape world history for the next 300 years.


The butterfly effect can also be imagined with credential stuffing, in which one small data breach can
have a large and varied impact on personal and company data. Credential stuffing can be understood
as when compromised data is used to breach a system, which is then faithfully carried out and
processed at scale by predatory bots. Therefore, if your password is captured in a data breach on your
email, the bots will use that same password on a portfolio of your different accounts. Thus, from one
small data breach the security of someone’s social media, online banking, travel accounts and
company profiles, to name a few, would have all been exposed. However, this does depend on the
assumption that the password used on one profile will be the same or similar to the password used on
other systems. In 2019, a security report by google revealed that 65% of people used the same
passwords for multiple different accounts and a much higher percentage used similar variations of the
same password on different accounts. What this means is that company and private data could easily
be exposed through one breach on a different system. As a result, this makes defending against
credential stuffing hard given that the endpoints are so diverse and cover everything from personal
accounts to professional. In addition, what makes credential stuffing more threatening than usual
brute force cyber-attacks is that traditional attacks would aim to guess passwords, with little context
and use much less sophisticated bots. Concerning credential stuffing, it uses personal data to help
inform and narrow down the options, utilising sophisticated bots to gain entry into other systems.
Alas, despite the credible threat this presents, there are some simple ways in limiting the chance of
being victim to the swarms of algorithm munching bots looking to gain access to your family’s age-
old cottage pie recipe.


Firstly, it would be wise to always have different passwords for different systems, especially for
separating personal and professional accounts. Secondly, two-factor authentication would also stop
the bots as they cannot replicate a physical authentication method. Additionally, a method often used
but not often appreciated is CAPTCHA, the platform that questions whether you are a robot or
human. Other methods include IP blacklisting, device fingerprinting, blocking headless browsers and
disallowing or limiting email addresses as users. All these would improve the security of your
personal information as well as protecting company data as well. However, it will continue to remain
a threat as long as people use the same password/ variation of passwords for different systems. Until
that changes, one small breach could have the potential to cause a ripple of chaos through all the other
systems with a similar password.


To conclude, it is more important than ever for people and companies to secure their networks. It is an
increasingly hostile climate, with cyber-breaches become more sophisticated and impactful. As we
have asserted before, the more we hurtle towards a heavily digitalised economy and embrace the
integration of IOT in our everyday lives, we must also be aware of the threats it presents.
Digitalisation will be transformative and it will stimulate creative destruction. However, just as the
butterfly effect theorises, one small event can unleash grand unintended consequences.


By Henri Willmott