Investigate Credential Stuffing

Start by querying these Real-Time Event Monitoring events that provide detailed information about the attack. In particular:

• CredentialStuffingEvent and its storage equivalent CredentialStuffingEventStore track when a user successfully logs into Salesforce during an identified credential stuffing attack.
  

  Important If the CredentialStuffingEvent object contains a record, an attack occurred in the past and Salesforce security has already taken care of the security issue. You don’t do anything other than investigate the attack for your own purposes.
• LoginEventStream and its storage equivalent LoginEvent track all login activity in your Salesforce org.

For example, say that your org receives a CredentialStuffingEvent. The first thing you do is look at relevant fields of the event to get basic information about the attack, such as:

• UserId: The user’s unique ID. Use this ID to query LoginEvent for more login information.
• EventDate: When this attack occurred.
• Summary: A text summary of the event.

See the API documentation for the full list of fields.

This sample SOQL query returns these field values.

SELECT UserId, EventDate, Summary FROM CredentialStuffingEventStore

You can use this type of query to identify the users in your org that were affected by the credential stuffing attack. These users reused their org password in other websites or their password follows a common pattern and isn’t strong enough. Educate your users on how they can create and manage strong passwords to protect your org.

Also consider improving your security with password protection. You can set password history, length, and complexity requirements. You can also specify what to do when a user forgets the password. Salesforce requires the use of multi-factor authentication (MFA) for all logins to the user interface — make sure MFA is enabled for all your users. Finally, investigate enabling Lightning Login for password-free logins.