Credential stuffing is a type of attack where threat actors try to use previously stolen usernames and passwords on another victim’s accounts. This type of cyber attack is especially popular nowadays because of the amount of security breaches around the world when millions of stolen usernames, passwords are circulating on the dark web.
To successfully counteract this ever growing threat you need to know how it works and what you can do to reduce its risks or prevent it.
How Credential Stuffing Works
To do credential stuffing, threat actors simply put a pair of stolen credentials into an automated botnet which will try this pair on various sites at once. Sometimes during such a stuffing attack the traffic on targeted sites can rise up to 180 times from their typical traffic measurement.
Once an automated botnet finds a match threat actors can do the next with successfully compromised account:
- Institutional and corporate espionage/ theft. One of the most devastating attacks on businesses and organizations. If the attack was successful, threat actors can now have access to various valuable data like addresses, social security numbers, credit card numbers and login credentials as well.
As a result they can sell it to whoever shows an interest;
- E-commerce fraud. Threat actors get access to other people’s accounts at some retailer websites to order high value products for themselves or resell them later;
- Selling access to compromised accounts. Threat actors steal accounts for major media streaming services like Netflix, Spotify and Disney+ and sell them later on the dark web.
Credential Stuffing Attack VS. Brute Force Attack
Often people tend to confuse the terms credential stuffing and brute force attack although they are related.
Their relation lies in the principle of work when threat actors in both cases credential stuffing and brute force are trying to guess the victim’s username and password. The difference is that in brute force attack threat actors don’t know the actual password or username they need to guess them by changing numbers, characters and do so in a manner when taking into consideration commonly used base password phrases or some other prescribed manner.
To protect yourself against brute force attacks you can limit the number of possible failed login attempts, enable CAPTCHA or make a requirement for your users to create strong and more reliable passwords.
However strong passwords won’t help if threat actors already know it. In case you have your password leaked, create new ones that don’t resemble your previous one in any way because many users tend to create new ones based on the previous passwords they had.
How Serious Credential Stuffing Attack Can Be
According to the Securities and Exchange Commission credential stuffing attacks have been on the rise since people started to have various and multiple accounts.
The fact that credential stuffing doesn’t lose its popularity among threat actors but instead gains ever more popularity proves the existence of not long ago found the Pemilanc list that contains more than 111 million records of usernames/passwords. Among the biggest and most serious credential stuffing incidents can be named that with JPMorgan Chase in 2014. Threat actors managed to get access to a cache of a billion stolen usernames and passwords.
Another example of credential stuffing happened with three eBay employees when threat actors gained unauthorized access to the company’s network and database. The attackers had the access for an astonishing 229 days.
The Cost Of Credential Stuffing Incidents For Companies And Organizations
Despite their seriousness, credential stuffing attacks in general have a low success rate ( usually it can be from one to three percent of a successful credential stuffing). Although they have such a low success rate credential stuffing attacks can have a much bigger impact on its targets. According to the Ponemon Institute’s Cost of Credential Stuffing report, companies and organizations lose on average up to six millions per year because of credential stuffing attacks.
The reported cost of such losses include the loss of customers, application downtime, increased IT costs. Not only these costs companies and organizations have to spend because of credential stuffing attack incidents but they also may have to pay fines, for example, under GDPR regulation. GDPR or General Data Protection Regulation is Europe’s privacy and security law that requires any organizations or companies that collect and subsequently handle data that belongs to EU citizens to follow certain obligations concerning the matter. GDPR imposes heavy fines on anyone breaching this law.
How To Prevent Credential Stuffing Attack
To prevent credential stuffing attacks users and those who provide service need to take into consideration the next steps to provide better security for both parties:
- Set regular monitoring for leaked credentials. A service provider can use specific solutions that will help users to scan their login credentials and see if there’s been a compromise.
Such scanning solutions compare the existing login credentials with those already published on the dark web and alert users if a match is found.
Not only service providers can use scanners for leaked credentials but ordinary users can enter their credentials on website like HaveIBeenPwned.com to see if they have been somewhere compromised;
- Enable multi-factor authentication (MFA). In addition to having one password to login with two-factor authentication (2FA) or multi-factor authentication (MFA) you will need to go through additional steps of verification like one time code, pre registered security question or even enter your biometrics (facial recognition, fingerprint) before getting access to your account;
- Limit failed login attempts. Service providers can set a limit on how many times users are able to try to login. For example, financial institutions are very strict on this matter; usually you can only try from three to five times to login after that the account a user tries to access gets deactivated.
Of course, not every service need such a strict verification method but it will be useful where the attempts to get an unauthorized access are much more higher than generally;
- Enable web application firewall (WAF). WAF was designed to prevent all data breaches that can occur via the web. It can’t necessarily stop credential stuffing taking place but it will detect an anomaly high level of attempts to login that usually comes when threat actors use botnet for credential stuffing;
- Create unique passwords for each service. The easiest and seems to be the most reliable solution against credential stuffing attacks. All you need to do is to create a complex and strong password that won’t be easily guessed by anyone unauthorized.
Of course, it can be difficult to create and to remember all the passwords if there are fifty or even hundreds of them.
As a solution for this you can use specially created password managers that not only will securely store all your passwords but also will create complex and strong ones.