With so many websites and applications requiring unique user credentials, that is, a username and a password, it might get tempting to use the same credentials across all these platforms.
In fact, according to the 2022 Annual Identity Exposure Report by SpyCloud, which analyzed more than 15 billion compromised credentials available on criminal underground sites, it was found that 65 percent of breached passwords were used for at least two accounts.
To users reusing credentials on different platforms, it might seem like an ingenious way to avoid forgetting passwords, but in reality, it is a disaster waiting to happen.
In the event that one of the systems is compromised and your credentials are captured, all other accounts using the same credentials are at risk of compromise. Bearing in mind that compromised credentials are cheaply sold on the dark web, you might easily become a victim of credential stuffing.
Credential stuffing is a cyber-attack where malicious actors use stolen credentials for an online account or system to try to access other unrelated online accounts or systems.
An example of this is a malicious actor gaining access to your username and password for your Twitter account and using those compromised credentials to try to access a Paypal account.
In the event that you’re using the same credentials on Twitter and Paypal, your Paypal account will be taken over because of a breach of your Twitter credentials.
In the event that you’re using your Twitter credentials on multiple online accounts, those online accounts might also be compromised. Such an attack is known as credential stuffing, and it exploits the fact that many users reuse credentials on multiple online accounts.
Malicious actors conducting credential-stuffing attacks typically use bots to automate and scale the process. This allows them to use a large number of compromised credentials and target multiple online platforms. With compromised credentials being leaked from data breaches and also being sold on the dark web, credential stuffing attacks have become prevalent.
How Credential Stuffing Works
A credential-stuffing attack starts with the acquisition of compromised credentials. These usernames and passwords can be bought on the dark web, accessed from password dump sites, or be gotten from data breaches and phishing attacks.
The next step involves setting up bots to test the stolen credentials on different websites. Automated bots are the go-to tool in credential stuffing attacks, as bots can stealthily perform credential stuffing using a large number of credentials against many sites at high speeds.
The challenge of an IP address being blocked after several failed login attempts is also avoided by using bots.
When a credential-stuffing attack is launched, automated processes to monitor for successful logins are also launched in parallel with the credential-stuffing attack. This way, attackers easily obtain credentials that work on certain online sites and use them to take over an account on the platforms.
Once attackers have had access to an account, what they can do with it is up to their discretion. Attackers can sell the credentials to other attackers, steal sensitive information from the account, commit identity, or use the account to make online purchases in case a bank account is compromised.
Why Credential Stuffing Attacks Are Effective
Credential Stuffing is a cyber attack with very low success rates. In fact, according to The Economy of Credential Stuffing Attacks Report by Insikt Group, which is Recorded Future’s threat research division, the average success rate for credential stuffing attacks is between one to three percent.
As much as its success rates are low, Akamai Technologies, in its 2021 State of the Internet / Security report, noted that in 2020, Akamai saw 193 billion credential stuffing attacks globally.
The reason for the high number of credential stuffing attacks and why they are becoming more prevalent is because of the number of compromised credentials available and access to advance bot tools that make credential stuffing attacks more effective and almost indistinguishable from human login attempts.
For instance, even at a low success rate of just one percent, if an attacker has 1 million compromised credentials, they can compromise about 10,000 accounts. Large volumes of compromised credentials are traded on the dark web, and such high volumes of compromised credentials can be reused on multiple platforms.
These high volumes of compromised credentials result in an increase in the number of compromised accounts. This, coupled with the fact that people continue to reuse their credentials on multiple online accounts, credential-stuffing attacks become very effective.
Credential Stuffing Vs. Brute Force Attacks
Although credential stuffing and brute force attacks are both account takeover attacks and the Open Web Application Security Project (OWASP) considers credential stuffing a subset of brute force attacks, the two differ in how they are executed.
In a brute-force attack, a malicious actor tries to take over an account by guessing the username or password or both of them. This is typically done by trying out as many possible username and password combinations with no context or clue on what they may be.
A brute force might use commonly used password patterns or a dictionary of commonly used password phrases such as Qwerty, password, or 12345. A brute force attack can succeed if the user uses weak passwords or system default passwords.
A credential-stuffing attack, on the other hand, attempts to take over an account by using compromised credentials gotten from other systems or online accounts. In a credential stuffing attack, the attack doesn’t guess the credentials. The success of a credential stuffing attack relies on a user reusing their credential on multiple online accounts.
Typically, the success rates of brute force attacks are much lower than credential stuffing. Brute force attacks can be prevented by using strong passwords. However, using strong passwords cannot prevent credential stuffing in case the strong password is shared across multiple accounts. Credential stuffing is prevented by using unique credentials on online accounts.
How to Detect Credential Stuffing Attacks
Credential stuffing threat actors typically use bots that mimic human agents, and it is often very difficult to tell apart a login attempt from a real human and one from a bot. However, there are still signs that can signal an ongoing credential-stuffing attack.
For instance, a sudden increase in web traffic should raise suspicion. In such a case, monitor login attempts to the website, and in case there is an increase in login attempts on multiple accounts from multiple IP addresses or an increase in login failure rate, this could indicate an ongoing credential stuffing attack.
Another indicator of a credential stuffing attack is user complaining of being locked out of their accounts or receiving notifications on failed login attempts that were not done by them.
Additionally, monitor user activity, and in case you notice unusual user activity, such as making changes in their settings, profile information, money transfers, and online purchases, this could signal a credential stuffing attack.
How to Protect Against Credential Stuffing
There are several measures that can be taken to avoid being a victim of credential-stuffing attacks. This includes:
#1. Avoid reusing the same credentials across multiple accounts
Credential stuffing is dependent on a user sharing credentials across multiple online accounts. This can easily be avoided by using unique credentials on different online accounts.
With password managers such as Google Password Manager, users can still use unique and very passwords without worrying about forgetting their credentials. Companies can also enforce this by preventing the use of emails as usernames. This way, users are more likely to use unique credentials on different platforms.
#2. Use Multifactor Authentication (MFA)
Multifactor Authentication is the use of multiple methods to authenticate the identity of a user trying to log in. This can be implemented by combining traditional authentication methods of a username and a password, together with a secret security code shared with users via email or text message to further confirm their identity. This is very effective in preventing credential stuffing as it adds an extra layer of security.
It can even let you know when someone tries to compromise your account, as you will get a security code without making a request for one. MFA is so effective that a Microsoft study established that online accounts are 99.9 percent less likely to be compromised if they use MFA.
#3. Device Fingerprinting
Device fingerprinting can be used to associate access to an online account with a particular device. Device fingerprinting identifies the device being used to access an account using information such as device model and number, the operating system being used, language, and country, among others.
This creates a unique device fingerprint which is then associated with a user account. Access to the account using a different device is not allowed without permission being granted by the device associated with the account.
#4. Monitor for leaked passwords
When users are trying to create usernames and passwords for an online platform rather than just checking for the strength of the passwords, the credentials can be counter-checked against published leaked passwords. This helps prevent the use of credentials that can later be exploited.
Organizations can implement solutions that monitor user credentials against leaked credentials on the dark web and notify users whenever a match is found. Users can then be asked to verify their identity through a variety of methods, change credentials and also implement MFA to further protect their account
#5. Credential Hashing
This involves scrambling user credentials before they are stored in a database. This helps protects against the misuse of credentials in the event of a data breach of the systems, as the credentials will be stored in a format that cannot be used.
Although this is not a foolproof method, it can give users time to change their passwords in case of a data breach.
Examples of Credential Stuffing Attacks
Some notable examples of credential-stuffing attacks include:
- The stealing of over 500,000 Zoom credentials in 2020. This credential-stuffing attack was executed using usernames and passwords gotten from various dark web forums, with credentials gotten from attacks dating as far back as 2013. The stolen zoom credentials were made available on the dark web and sold cheaply to willing buyers
- Compromise on thousands of Canada Revenue Agency (CRA) user accounts. In 2020 about 5500 CRA accounts were compromised in two separate credential attacks resulting in users being unable to access services offered by the CRA.
- Compromise of 194,095 The North Face user accounts. The North Face is a company that sells sportswear, and it suffered a credential stuffing attack in July 2022. The attack resulted in the leak of the user’s full name, telephone number, gender, loyalty points, billing and shipping address, account creation date, and purchase history.
- Reddit credential-stuffing attack in 2019. Several Reddit users were locked out of their accounts after their credentials were compromised through credential-stuffing attacks.
These attacks highlight the importance of the need to protect yourself against similar attacks.
You might have come across sellers of credentials to streaming sites such as Netflix, Hulu, and disney+ or online services such as Grammarly, Zoom, and Turnitin, among others. Where do you think the sellers get the credentials?
Well, such credentials are likely gotten through credential-stuffing attacks. If you use the same credentials across multiple online accounts, it is time you change them before you become a victim.
To further protect yourself, implement multifactor authentication on all your online accounts and avoid buying compromised credentials, as this creates an enabling environment for credential-stuffing attacks.