Credential Stuffing – What is It and How to Avoid It
Table of Contents
The practice of using the same username and password for several (private and business) accounts can lead to credential stuffing. A cybercriminal using a malicious automation tool may be able to access employees' accounts by trying the credentials they have stolen, putting the user and the company at multiple risks.
Cybercriminals then use stolen or leaked credentials to obtain access to the company's servers or cloud premises. Businesses faced with this credential stuffing will suffer multiple damages – financial, operational, and reputation damage:
- Unauthorized access to user accounts can lead to identity theft, bank account draining, and fraudulent transactions.
- According to the Verizon Data Breach Report, 30% of breaches in the past 10 years used stolen credentials. According to Okta, 35% of all login attempts are the result of credential stuffing.
- Businesses may suffer direct financial losses as well as possible liability for their failure to protect user accounts, which can have a disastrous financial impact. The financial services industry lost $3.4 billion as a result of these attacks in 2020 alone.
What is Credential Stuffing?
Credential stuffing means automatically injecting stolen credentials (username and password) into website login forms to unlawfully access user accounts.
Since many users reuse their login, password, and email address, these credentials can be compromised (e.g., through a phishing attempt or database breach). The attacker will then be able to misuse those accounts by entering the stolen credentials into dozens or even hundreds of other websites.
Credential stuffing belongs to the category of brute-force attacks. Brute forcing, or password guessing, is the process of trying a large set of passwords on one or more accounts. Generally speaking, credential stuffing is the deliberate use of stolen username/password combinations on other websites.
Additionally, attackers can reset passwords, especially for commercial accounts, using information discovered in data thefts. Thus, attackers can gain business data, and email addresses, and obtain other confidential information thus ruining the business's reputation.
Even if the passwords are not used again, the attacker can still acquire control of your premises by using recovery emails or other private data that may have been compromised. He can also sell your credentials to other hackers and scammers.
How To Detect Credential Stuffing?
Credential stuffing puts users and businesses at risk due to the repercussions of these breaches. The hacker can obtain usernames and passwords through phishing attacks, password dump websites, or website breaches. Then, there is an interconnected sequence of events from one credential stuffing breach to another.
The attacker employs automated tools to test the stolen credentials against numerous websites (e.g., platforms, online marketplaces, or web applications). If the login succeeds, the attacker will be aware that he's gotten a set of legitimate credentials, and then he can access the account smoothly.
Since credential stuffing attacks frequently mimic legitimate user behavior, detecting them can be difficult. To immediately recognize credential stuffing, you can observe these events:
- You've got a notification that someone is trying to log into your account.
- You notice that your passwords have been changed without your action.
- Your device is installing the software you didn't authorize.
- You get false antivirus messages asking you to install something.
- You realize that there are payments (purchases) from your credit card you didn't make.
- You notice that some private messages, documents, or pictures are missing or displaced.
- Your personal data is leaked and appears on 3rd party websites you haven't registered on.
- Your social accounts have been compromised.
- Some of your colleagues/ friends receive phishing or other suspicious messages from your account.
- You can utilize sophisticated session monitoring and recording tools to identify unusual credential usage and unwanted access attempts.
Credential Stuffing vs Password Spraying
Although they are both types of brute-force password attacks, credential stuffing, and password spraying are not the same. While credential stuffing entails utilizing credentials that have been stolen or leaked from one account to compromise additional accounts, password spraying uses a popular or simple password across several accounts.
Because they lack access to credentials, attackers in a password-spraying assault make informed guesses. After much trial and error - they could eventually uncover a username-password combination that opens an access point. Password spraying attacks are successful because many users use weak and simple passwords such as frequently used combinations (passsword123, 123456, qwerty, etc.).
Attackers can obtain legitimate credentials in a variety of methods. They can locate lists of usernames and passwords on libraries and code repositories like GitHub, buy them on the Dark Web through Initial Access Brokers, or get them from data breaches, phishing, or malware attacks.
How To Prevent Credential Stuffing?
Now we'll explore the various methods for preventing password stuffing.
Don't Use Email addresses as User IDs
Reusing usernames or account IDs across services is the basis of credential stuffing. This is far more likely to occur if the ID is an email address. You may significantly lower the likelihood that users will reuse the same user/password combination on another website by prohibiting them from using their email address as an account ID.
Strong Passwords
With the sensitive information in your online accounts, especially your email, a thief might easily steal your identity. Make sure every device and account has a strong, one-of-a-kind, and complicated password. If you're worried about remembering a lot of passwords, think about utilizing a secure password manager.
Multi-factor Authentication
For added security, enable multi-factor authentication (MFA), which requires a special code in addition to your password to access your accounts. It's also better to utilize an authenticator app rather than SMS when getting MFA codes.
Device Fingerprint
JavaScript can be used to generate a "fingerprint" for every incoming session and gather data about user devices. Operating system, language, browser, time zone, user agent, and other factors are all combined to create the fingerprint. It is most likely a brute force or credential-stuffing attack if the same set of parameters is used again in a row.
More stringent controls, such as banning the IP, can be implemented if you employ a strict multi-factor fingerprint. Combining two or three common factors and enforcing less stringent procedures, such as a short ban, can help you capture more attacks. Operating System + Geolocation + Language is a typical fingerprint combination.
Using CAPTCHA
The effectiveness of credential stuffing may be reduced by CAPTCHA, which forces users to execute an activity to verify their human identity. Similar to MFA, CAPTCHA can only be used in certain situations and supplemented with other techniques. However, headless browsers make it simple for hackers to get around CAPTCHA.
IP Blacklists
Blocking or sandboxing IPs that try to log into numerous accounts is another useful security because attackers usually have a limited pool of IP addresses. To lower false positives, you can keep track of the last few IP addresses used to access a particular account and compare them to the suspected malicious IP.
Limit Bots and Scammers
Traffic coming from AWS, Azure, GC, or other commercial data centers is easily identifiable. This traffic should be handled considerably more carefully than normal user traffic because it is most likely bot activity. Set strict rate restrictions and blacklist or block IPs exhibiting questionable activity.
Infrastructure Protection
By acquiring infrastructure access tools with access management and monitoring features, companies can identify credential-stuffing attacks. With the help of these technologies, IT teams could more easily identify an assault and obtain comprehensive insight into user credentials and activity across all network servers, databases, and applications.
When used in tandem, access control and monitoring guarantee uninterrupted account access for verified users while highlighting any unusual or questionable login behavior at the user or application level.
Credential Stuffing Real Cases
According to the F5 report, over 80% of hacking-related breaches involve brute force or the use of stolen credentials. The software/SaaS, financial services, energy, and education sectors faced notable assault volumes. The operation and repercussions of credential stuffing attacks are demonstrated by two recent instances.
Zoom
In a 2020 Zoom credential stuffing attempt, hackers collected login credentials for previous Zoom accounts from compromised databases that were posted on dark websites. Hacks, as early as 2015, were responsible for stealing credentials. The attackers then tried to access the Zoom accounts using several bots.
North Face
In 2022, 200,000 accounts on North Face's online store were compromised due to a credential stuffing assault. The attackers gained access to client data by logging into the e-commerce platform's backend using legitimate credentials.
Roku
In the Roku breach (March 2024), credential stuffing assaults impacted 576,000 accounts. According to the firm, Roku accounts were compromised by hackers using credentials taken from other online platforms with SilverBullet cracking tools. The compromised accounts were then sold on illicit marketplaces for roughly 50 cents.
Dropbox
Dropbox, 2012 breach: Usernames and passwords were taken from unaffiliated services, not Dropbox. The attackers then attempted to access Dropbox and other websites using the credentials they had obtained.
JP Morgan
JP Morgan, 2014 breach: Bank employees and other corporations were eligible to participate in a charity race competition. Some email address/password combinations used by race participants who registered on the external Corporate Challenge website were among the compromised data.
Bottom Line
Nowadays, many user account credentials are in danger due to widespread data breaches. Thus - credential stuffing prevention is essential for all individuals and companies.
Since modern technology has made credential-stuffing attacks easier than ever, it is crucial to implement Identity Threat Detection and Response (ITDR) solutions. These solutions will assist you in detecting suspicious credential activity and stopping attacks before they cause extensive financial and reputational damage.