By Lucian Constantin, CSO Senior Writer, CSO
Credential stuffing definition
Credential stuffing is the automated use of collected usernames and passwords to gain fraudulent access to user accounts. Billions of login credentials have landed in the hands of hackers over the past several years as a result of data breaches. These credentials fuel the underground economy and are used for everything from spam to phishing and account takeovers. Credential stuffing attacks are one of the most common ways cybercriminals abuse stolen usernames and passwords.
[ Find out if your data and passwords are being sold on the dark web.. | Get the latest from CSO by signing up for our newsletters. ]
This is a brute-force attack technique, but instead of trying to guess passwords using “dictionaries” of common word combinations, attackers use lists of known valid credentials obtained from data breaches. The result is attacks that are much easier to execute and have a higher success rate because a large number of people continue to reuse their passwords across different websites, so credentials stolen from a low-profile website have a high chance of working on services that hold more sensitive data.
How big is the credential stuffing problem?
HaveIBeenPwned.com (HIBP), a free data breach notification service run by security researcher Troy Hunt, tracks over 8.5 billion compromised credentials from over 410 data beaches. The service only includes credentials from data sets that are public or have been widely distributed on underground forums, but many database dumps have remained private and are only available to small groups of hackers.
An entire underground economy based on selling stolen credentials and specialized tools supports automated credential stuffing attacks. These tools use so-called “combo lists” that have been put together from different data sets after the hashed passwords found in leaked databases have been cracked. This means that launching such attacks does not require any special skills or knowledge and can be done by virtually anyone who has a few hundred dollars to buy the tools and data.
Over a 17-month period, from November 2017 through the end of March 2019, security and content delivery company Akamai detected 55 billion credential stuffing attacks across dozens of verticals. While some industries were more heavily targeted than others — for example gaming, retail and media streaming — no industry was immune.
“For now, attackers see credential abuse as a low-risk venture with potential for a high payout, and these types of attacks are likely to increase for the foreseeable future,” the company said in a report released in June.
How to detect and mitigate credential stuffing attacks
Credential stuffing attacks are launched through botnets and automated tools that support the use of proxies that distribute the rogue requests across different IP addresses. Furthermore, attackers often configure their tools to mimic legitimate user agents — the headers that identify the browsers and operating systems web request are made from.
All this makes it very hard for defenders to differentiate between attacks and legitimate login attempts, especially on high-traffic websites where a sudden influx of login requests doesn’t stand out as unusual. That said, an increase in the login failure rate over a short period of time can be a telltale sign that a credential stuffing attack is in progress.
While some commercial web application firewalls and services use more advanced behavioral techniques to detect suspicious login attempts, website owners can take measures to prevent such attacks.
One effective mitigation is to implement and encourage the use of multi-factor authentication (MFA). Even though some automated phishing and account takeover tools can bypass MFA, those attacks require more resources and are harder to pull off en-masse than credential stuffing.
Since MFA has a usability cost, many organizations provide it as an option that users have to turn on rather than actually enforcing it. If making MFA mandatory for all user accounts is considered too disruptive for business, a compromise is to automatically enable it for users who are determined to be at greater risk, for example after an unusually large number of failed login attempts on their accounts.
Large companies have also started to be proactive by monitoring public data dumps and checking to see if the impacted email addresses also exist in their systems. For those accounts that are found on their services, even though they were compromised elsewhere, they force password resets and strongly suggest enabling MFA.
Companies that want to monitor if accounts set up by their employees with their work emails were impacted by external breaches can use services like HIBP to set up alerts for their entire domain names. HIBP’s public API has even been used to develop scripts in various programming languages that can be integrated into websites or mobile apps.
Finally, password hygiene should be part of any company’s security awareness training for employees. Password reuse is what enables credential stuffing attacks so this practice should be strongly discouraged, both at work and at home.
Users can use password managers to generate unique and complex passwords for every online account without having to remember them. Some of these applications even notify users automatically if their email addresses are detected in public data dumps.
“Credential stuffing isn’t going anywhere,” Akamai concluded in its State of the Internet report. “Since it can’t be stopped outright, the goal should be making the process of obtaining credentials as difficult as possible. Weak passwords and password reuse are the bane of account security; it doesn’t matter if we’re talking about gaming, retail, media and entertainment, or any other industry. If a password is weak or reused across multiple accounts, it will eventually be compromised. Awareness around these facts needs to increase, as does the promotion of password managers and multi-factor authentication.”