What is Credential Stuffing?

Credential stuffing is a type of cyberattack in which cybercriminals utilize stolen login credentials from one system to try accessing a different system.

The basis of credential stuffing attacks is the assumption that individuals frequently employ the same user ID and password for various accounts. Consequently, having the credentials for one account may enable access to other unrelated accounts.

Why is Credential Stuffing on the Rise?

Credential stuffing poses an increasing threat due to several factors:

• Credential availability: Over recent years, billions of usernames and passwords have been stolen or exposed, with these credentials readily available for purchase on dark web marketplaces. These compromised credentials serve as a foundation for credential stuffing attacks and various other cyber threats.
• Technological advancements: Credential stuffing attacks capitalize on bots or sophisticated automation tools, enabling rapid attempts to access multiple accounts within seconds. By targeting specific user ID and password combinations, these tools circumvent conventional security measures, including IP address blocking after numerous failed login attempts.
• Low entry barriers: Launching a credential stuffing attack requires minimal technical expertise and financial investment. For a mere $50 USD, individuals can procure compromised accounts from the dark web and initiate such attacks using basic computer resources.
• Remote work transition: The COVID-19 pandemic accelerated the adoption of remote work arrangements, catching many organizations off-guard in terms of network defense. Exploiting this shift, attackers utilize personal account credentials to breach business systems and services, leveraging the blurred boundaries between personal and professional networks.
• Detection challenges: In successful credential stuffing attacks, adversaries masquerade as legitimate users, such as employees or contractors, making detection arduous. Moreover, lacking typical indicators like malware, these attacks evade traditional cybersecurity defenses, exacerbating the difficulty of detection.

How Does a Credential Stuffing Attack Work?

Credential stuffing attacks follow a straightforward progression:

• Attackers exploit stolen or purchased account credentials, often obtained from large-scale data breaches or other cyber incidents. These credentials are typically available for minimal cost on the dark web.
• Armed with credentials from at least one online account, the attacker deploys a botnet or similar automated tool to simultaneously attempt access to numerous unrelated accounts. Typically, these bots employ features to obfuscate or spoof IP addresses, evading security measures that might block unusual or foreign addresses.
• The bot assesses whether access was granted to any secondary accounts or services. Upon successful login, the attacker gathers additional information such as personal data, stored payment details, or banking information. Fraudulent activities may include selling compromised subscription accounts on the dark web, making unauthorized purchases using stored payment methods, conducting account takeovers to facilitate future illicit actions, or leveraging obtained personal information for phishing campaigns and more sophisticated attacks.

If hackers manage to infiltrate a corporate network through a compromised account, such as an employee’s, they can exploit their access to move laterally within the system. This may involve installing backdoors, gathering intelligence for future attacks, or exfiltrating sensitive data. Since the attacker utilizes legitimate account credentials, their actions mimic those of a genuine user, complicating detection through conventional security measures.

Credential Stuffing Attacks vs. Brute Force Attacks

Credential stuffing and brute-force attacks share similarities in their goal of gaining unauthorized access, yet they differ significantly:

Brute-force Attack: A brute-force attack involves systematically trying various combinations of usernames and passwords to breach sensitive data and systems. Typically, attackers rely on commonly used passwords or phrases, such as “Qwerty” or “123456”, to crack login credentials.

Credential Stuffing Attack: In contrast, a credential stuffing attack utilizes stolen user credentials from one service to access unrelated networks or accounts. For instance, if a user’s email credentials are compromised, the attacker may attempt to access banking sites, utility services, or digital marketplaces using the same credentials.

Key Differences:

1. Attack Specificity:
   • Brute-force attacks involve guessing user IDs, passwords, or both, often relying on commonly used passwords.
   • Credential stuffing attacks use known credentials from one service to access other accounts, making them more targeted and specific.
2. Access Attempts:
   • Brute-force attacks employ bots to try numerous combinations of user IDs and passwords, risking IP address blocking due to excessive failed attempts.
   • Credential stuffing attacks focus on using a specific set of credentials across various sites, often evading detection by security tools due to single access attempts.
3. Password Strength:
   • Brute-force attacks target weak, commonly used passwords, emphasizing the importance of selecting strong, unique passwords for each account.
   • Credential stuffing attacks exploit compromised accounts regardless of password strength, highlighting the risk of reusing passwords across multiple accounts.

While both types of attacks aim to breach security barriers, their methodologies and implications differ, necessitating tailored preventive measures.

Real-world Examples of Credential Stuffing Attacks

It’s alarming to discover the extent to which companies have fallen victim to credential stuffing attacks. Here are several notable instances:

• HSBC: In 2018, HSBC experienced a significant credential stuffing attack, jeopardizing the financial data of its clients.
• DailyMotion: In January 2019, the DailyMotion video platform faced temporary shutdown due to an attack of this nature.
• Dunkin’ Donuts: Within a span of three months in 2019, Dunkin’ Donuts encountered two large-scale credential stuffing attacks.
• Reddit: Also in 2019, Reddit users lost access to their accounts and had their data compromised as a result of an attack.
• Deliveroo: In 2019, Deliveroo customers were billed for unauthorized orders stemming from a credential stuffing incident.
• Basecamp: The same year, Basecamp had to combat a surge of fraudulent login attempts over a brief period.
• Sizmek: A Russian hacker targeted Sizmek, a prominent advertising firm, in 2019, auctioning off stolen controls for advertising campaigns on the dark web.
• TurboTax: In 2019, TurboTax suffered a security breach due to credential stuffing, leading to unauthorized access to customer tax information and social security numbers.
• Nintendo and Zoom: Amid the 2020 pandemic lockdowns, both Nintendo and Zoom fell victim to hacking incidents.
• Spotify: Also in 2020, Spotify’s music streaming service faced an attack utilizing data from 380 million user records sourced from various origins.
• The North Face: In 2020, The North Face encountered a severe credential stuffing attack, prompting the retailer to reset numerous customer accounts.
• RIPE NCC: In 2021, website domain registrar RIPE NCC was targeted, with attackers exploiting the company’s single-sign-on service, resulting in exposure of multiple databases and services.

How to Detect and Prevent Credential Stuffing?

To mitigate credential stuffing attacks at the enterprise level, organizations must recognize that conventional security measures, like enforcing robust password policies and monitoring login attempts, offer limited protection against this specific attack vector. Nonetheless, there are several proactive steps companies can take to prevent credential stuffing attacks and mitigate their impact:

• Enable multifactor authentication (MFA): Multifactor authentication (MFA) mandates users to verify their identity using multiple methods, such as traditional credentials combined with a security token via text message, authenticator tool, or biometric verification. By implementing MFA, organizations significantly bolster their defense against credential stuffing attacks, as attackers typically lack access to the additional authentication factors required for entry.
• Implement IT hygiene: Leveraging IT hygiene tools provides insight into credential usage across the organization, aiding in the detection of potentially malicious administrative activity. Features such as account monitoring help identify accounts created by attackers to maintain unauthorized access. Additionally, regular password rotations ensure that stolen credentials lose efficacy over time.
• Introduce proactive threat hunting: Proactive threat hunting entails continuous monitoring for clandestine attacks employing stolen credentials, disguised as legitimate user activity. This approach, distinct from standard security measures, identifies and tracks subtle threats that may evade detection otherwise. Leveraging expertise gained from combating sophisticated adversaries, proactive threat hunting identifies and addresses potential threats promptly.
• Educate employees on password risks: Credential stuffing attacks often stem from password reuse across multiple services. Even strong passwords pose a risk if reused across accounts. Educating users on the dangers of password reuse and promoting best practices for selecting unique, robust passwords is crucial. Providing password manager tools helps users generate and store complex passwords securely, while discovery tools identify default passwords on devices, prompting users to change them.

FAQ’s

What is credential stuffing?

Credential stuffing is a type of cyberattack where cybercriminals use stolen login credentials, obtained from one source, to gain unauthorized access to another system or platform. This method relies on the assumption that individuals often reuse the same usernames and passwords across multiple accounts.

Why is credential stuffing becoming more prevalent?

Credential stuffing attacks are on the rise due to various factors. The widespread availability of stolen credentials on the dark web, technological advancements enabling automated attacks, low barriers to entry for attackers, the shift to remote work, and the difficulty in detecting such attacks contribute to their increasing prevalence.

How does a credential stuffing attack work?

In a credential stuffing attack, cybercriminals utilize stolen or purchased login credentials to access other accounts or systems. They employ automated tools, such as bots, to systematically try different combinations of usernames and passwords across multiple platforms, exploiting the tendency of users to reuse passwords.

What are the differences between credential stuffing and brute-force attacks?

While both credential stuffing and brute-force attacks aim to gain unauthorized access, they differ in methodology. Brute-force attacks involve systematically trying various combinations of usernames and passwords, whereas credential stuffing utilizes known credentials from one service to access unrelated accounts.

How can organizations detect and prevent credential stuffing attacks?

Organizations can mitigate the risk of credential stuffing attacks by implementing multifactor authentication, maintaining good IT hygiene, conducting proactive threat hunting, and educating employees about password risks. These measures help enhance security and reduce the likelihood of successful attacks.

What are some real-world examples of credential stuffing attacks?

Several major companies, including HSBC, DailyMotion, Dunkin’ Donuts, Reddit, and TurboTax, have fallen victim to credential stuffing attacks in recent years. These attacks have resulted in compromised user accounts, financial losses, and reputational damage for the affected organizations.

How can individuals protect themselves from credential stuffing attacks?

Individuals can protect themselves by using unique, complex passwords for each account, avoiding password reuse, enabling two-factor authentication whenever possible, and staying vigilant for signs of suspicious activity on their accounts.

What should I do if I suspect that my account has been compromised in a credential stuffing attack?

If you suspect that your account has been compromised, immediately change your password, enable two-factor authentication if available, and review your account activity for any unauthorized transactions or changes. Contact the platform or service provider for further assistance in securing your account.

Are there any legal consequences for perpetrating a credential stuffing attack?

Yes, engaging in credential stuffing attacks is illegal and punishable under various cybercrime laws. Perpetrators can face criminal charges, fines, and imprisonment if caught and prosecuted for their actions. It’s essential to report any suspected cyberattacks to law enforcement authorities for investigation.

Conclusion

Credential stuffing presents a significant threat in today’s digital world. However, by implementing proactive security measures like multifactor authentication and maintaining good IT hygiene, organizations can bolster their defenses against these attacks. Collaboration between stakeholders and cybersecurity professionals is essential in combating the proliferation of credential stuffing and ensuring a safer online environment. With vigilance and proactive measures, we can mitigate the risks posed by credential stuffing and safeguard our digital assets.