News & Insights

The SEC’s 9 recommendations for avoiding “credential stuffing” attacks

The SEC’s 9 recommendations for avoiding “credential stuffing” attacks


Earlier this month, the Office of Compliance Inspections and Examinations of the United States Securities and Exchange Commission (OCIE) released a Risk Alert outlining newly identified cyber-attack threats called “credential stuffing.”

Credential stuffing is a type of cyber-attack wherein bad actors gain access to already compromised user credentials on the dark web and attempt to access other accounts using those same credentials. Individuals who use the same username and password across multiple websites are especially vulnerable to these attacks. If compromised credentials are used on an adviser’s website or trading platforms, clients may be in danger of loss of assets or public exposure of sensitive information.

Cybercriminals can access clients’ personally identifiable information (PII) or initiate trades and transactions if their credential stuffing attempts are successful. These dangers extend to key vendors maintaining PII on behalf of your firm.

Below are key recommendations for avoiding credential stuffing and other cyber-attacks.


  1. Create strong cybersecurity policies and procedures: Ensure your firm has drafted, adopted, implemented, and maintains comprehensive cybersecurity policies and procedures. These should include in-depth guidelines for secure password creation.
  2. Utilize multi-factor authentication (MFA): MFA allows users to employ multiple forms of verification to access an account. These may include a text message or phone call containing a code, for example. The more authentication factors are used, the more secure accounts will be. Although MFA significantly reduces the risk of account compromise, bad actors may still be able to pass verification steps and gain access to targeted accounts.
  3. Use a CAPTCHA on websites storing PII: Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) tests can reduce the number of automated scripts attempting to access sensitive information. These tests have users perform an action to demonstrate they are human, like identifying pictures of certain objects in a grid of images.
  4. Implement controls to identify possible attacks: Controls that can detect and prevent credential stuffing attacks can alert system administrators when rapid or unusual failing login attempts are made, for example.
  5. Use a web application firewall (WAF) to stop potential incoming attacks.
  6. Add controls to minimize damage: Controls can be implemented to limit access to fund transfers and sensitive information if an account is successfully taken over by bad actors.
  7. Leverage an IT provider to monitor the dark web: Consider engaging a professional to monitor the dark web for leaked lists of user credentials. Testing these lists for current users’ and clients’ account information can provide the opportunity to update user information before attacks occur.
  8. Inform clients and staff: Most people know to create strong passwords, but a key step in securing accounts is creating unique usernames and passwords or passphrases for each account, especially those containing PII. Encourage your clients and employees to create strong, unique passwords for every account they use.
  9. Stay vigilant to compromised cellphones: Cellphones are often used for MFA verification. It is possible for phones to be intercepted by cybercriminals, rendering MFA unsecure. Warn employees and clients that, if their mobile device unexpectedly stops working, the number may have been transferred to another device for the purpose of compromising the MFA process.


When it comes to cybersecurity attacks, it is not a matter of if they will occur, but when. Because attempted attacks on your firm and clients’ information are inevitable, it is vital to do everything possible to prepare. When the correct preventative steps are taken, like those listed above, it is possible to stop attackers before they steal information or to halt the process of an attacker before major damage is done.

Cyber-attacks, like credential stuffing, can weigh a heavy burden on your firm and clients if not handled properly. By taking the steps above, you can help keep your information secure and assets safe. If your firm needs assistance drafting policies and procedures, training employees on cybersecurity best practices, or creating a response plan for what to do if a data breach occurs to your or a vendor’s system, Fairview can help. Contact us today for more information about cybersecurity support and vendor management services.