The number of cyber attacks and the variety of techniques used by hackers and cybercriminals today are concerning. Even as organizations become more aware and take measures to protect their business, they are constantly facing an uphill battle when it comes to illegitimate users trying to get unauthorized access to sensitive or personal data.
As more hacks lead to data breaches, sensitive data on users’ credentials becomes available to hackers. This only makes matters worse for organizations, as such data become the basis for another method of cyber attack known as credential stuffing. As more user login credentials become public through these breaches, attackers get access to more information that they can use to try and breach username and password combinations on other online accounts.
What is Credential Stuffing?
Credential stuffing is a type of cyber attack in which credentials of legitimate users obtained from a leak are used to log into another service.
Attackers typically use data from previous data breaches or dark web sources to gain access to user credentials, such as email addresses, password pairs, and password combinations. The attacker then attempts to login into multiple online services with these stolen credentials, such as streaming services, banking websites, social media networks, and more.
This form of identity theft works on the assumption that many users often reuse the same set of credentials – usernames and passwords – across multiple websites and services. The attackers often employ malware bots to automate the breaches and scale their operations to breach a large number of user accounts.
The techniques employed by attackers have also become more sophisticated, with bots capable of circumventing IP blacklisting by attempting multiple login attempts from different IP addresses.
Types of Credential Stuffing Attacks
Credential stuffing attacks come in a variety of forms. The most common type of attack is the brute force attack, which involves attempting to access an account with as many different usernames and passwords as possible.
This type of attack is highly automated and can be very effective when using large lists of username/password combinations.
Other types of credential stuffing attacks include dictionary attacks, which involve trying common words or phrases as passwords; spoofing attacks, where attackers try to gain access by pretending to be legitimate users; and phishing attacks, where attackers send emails containing malicious links or attachments to trick users into revealing their credentials.
Additionally, attackers may also use more sophisticated methods such as password cracking tools or social engineering techniques to gain access to user accounts. To protect against credential stuffing attacks, it is important for organizations and users alike to employ strong authentication measures, which we will discuss below.
Credential Stuffing vs Brute Force Attack
Although credential stuffing falls under the category of brute force attacks, there are some factors that make it more specific. Brute force attacks, as their name suggests, attempt to login to accounts by guessing passwords and trying multiple combinations, often randomly with no context or hints. Credential stuffing on the other hand, does the same brute force login attempts, except with valuable information such as password lists gathered from leaked user data from other breaches.
Think of brute force attacks as a random guesswork-based attempt at logging in to an account or even an iPhone using passcode, by trying all possible combinations. Credential stuffing in that analogy, would mean doing the same thing but more effectively with fewer attempts, using a list of available usernames and passwords, or passcode combinations of real users.
Credential Stuffing vs Password Spraying
You will often hear these two terms being used interchangeably. They are both forms of brute-force password attacks that can be carried out either by bots or manually, and can both cause an incredible amount of damage to your business.
But, they are slightly different from one another. The main difference between the two is that in credential stuffing attacks, the hacker already has valid login details for one account and uses them to try and gain access to secondary accounts. In password spraying attacks, the credentials are unknown. Here hackers attempt to log in using various commonly used passwords.
How Does Credential Stuffing Work?
Credential stuffing starts with the attacker getting hold of a database of usernames and passwords from another source – a breach, phishing attack or credential dump site. Then using automation tools, the attacker tests these stolen credentials against many websites including social media profiles, e-commerce marketplaces and apps. If a successful login is achieved, the attacker knows that the data they have acquired is legitimate and proceeds to use the access they have obtained through the login in a number of ways. They could either sell this newly acquired data for other malicious actors to use, send phishing messages or spam from this account, access sensitive financial information such as credit card numbers or even steal using the account holders’ finances.
Credential Stuffing Examples
Even with the most advanced cybersecurity systems in place, hackers still try and sneak their way into online accounts in order to obtain people’s personal data. And unfortunately, it works, with an alarming success rate. Here are some examples:
- Uber: In 2016, Uber was subject to an almighty data protection breach when an attacker gained access to customers’ and drivers’ data through credential stuffing. Not only did the company have to cough up $100,000 to the attackers, but they were also fined $1.2 million for the breach.
- HSBC: The large banking corporation saw some of its customer’s credentials compromised in 2018 when attackers stole a wide range of personal data including names, addresses, account numbers, transaction reports and more.
- Superdrug: Another big data breach occurred in 2018. This time it affected the data of around 20,000 Superdrug customers. Hackers gained access and then sought ransom from the company.
What’s at Stake in a Credential Stuffing Attack?
Aside from the financial losses that individuals might incur from attackers gaining access to their accounts through credential stuffing, organizations too can face serious consequences.
In fact, according to a report from the Ponemon Institute, businesses lose around $6 million a year due to application downtime, customer churn and IT costs as a result of credential stuffing. On top of this, companies may also face legal action under data privacy laws such as GDPR as regulators are increasingly holding organizations accountable for such types of attacks.
How to Detect Credential Stuffing Attacks
There are some tell-tale signs that you can look out for that would suggest that you or your organization is being targeted through this method.
Look for Multiple Login Attempts on Multiple Accounts
If you observe a sharp and unusual rise in logins, chances are that there may be an automated bot that is carrying out a credential stuffing attack. You could lay down obstacles in the form of time delays and IP address bans of previous sessions where you detected repeated login attempts. But some bots can simulate what appear to be real logins by making it appear as if they are coming from different devices and IP addresses.
Stay Vigilant During Downtime Caused By Spike in Site Traffic
If you experience a sudden downtime caused by a spike in traffic to your website overwhelming your servers, that could also be an indication of a large-scale botnet-enabled credential stuffing attack.
Keep an Eye Out for Higher-Than-Usual Login Failure Rate
It is reasonable to expect some proportion of login attempts to fail, due to human error and other natural issues. But if the login failure rate is significantly higher than the norm, there could again be bots at play, trying to brute force their way into logging in by credential stuffing. Look out for the locations and traffic patterns as well as the speed at which repeated logins are attempted in these cases.
Causes of Credential Stuffing
As we’ve discussed, credential stuffing is a type of cyberattack that involves using stolen usernames and passwords to gain unauthorized access to online accounts.
This form of attack is becoming increasingly common as data breaches make it easier for hackers to acquire large amounts of user credentials.
One of the primary causes of credential stuffing is password reuse, where users use the same username and password combination for multiple accounts. This makes it much easier for attackers to gain access since they only need one set of credentials in order to try them on other sites. Additionally, weak passwords are also a major factor in credential stuffing attacks; if users choose easily guessable passwords such as “123456” or “password” then they are much more likely to be vulnerable to this type of attack.
Finally, large-scale credential stuffing attacks can also be enabled by malicious actors who purchase or otherwise obtain lists of email addresses and associated passwords from data breaches.
To protect against credential stuffing attacks, organizations and users alike should employ strong authentication measures such as two-factor authentication and password managers; additionally, users should never reuse the same password across different services and always choose long, complex passphrases for their online accounts.
Here are some of our most effective prevention tips:
Tips on How To Prevent Credential Stuffing
In addition to the techniques described above for detecting credential stuffing attacks, there are some simple tips you can follow to prevent them altogether.
Enforce Multi-Factor Authentication (MFA)
The tried and tested multi-factor authentication (MFA) is still a sound method for preventing credential stuffing attacks. Since these types of attacks rely on login to a system using credentials available from elsewhere, adding another layer of authentication such as a token, a second passcode or biometric fingerprint or face recognition helps nullify the attack. Think of MFA as an upgraded version of two-factor authentication (TFA).
Try Device Fingerprinting
It is possible to detect potential credential stuffing attacks by spotting specific “fingerprints” based on information collected about user devices and incoming sessions. The fingerprint is essentially a combination of parameters such as browser, language, operating system, time zone and others which together suggest an identity. If the same fingerprint is seen several times in a short span of time for instance, or when other factors make it look suspicious, chances are that it could be a credential stuffing attack, and you should act quickly to thwart these.
Deploy CAPTCHA
The simple CAPTCHA programs, which test for a real human presence when logging in, can also be helpful in preventing credential stuffing attacks. But only to a certain extent, as attackers are increasingly becoming good at bypassing CAPTCHA tests using headless browsers.
Block Access of Headless Browsers
Headless browsers, which are browsers without a graphical user interface and which control web pages through command-line interfaces instead are often used by attackers to circumvent CAPTCHA and other tools mentioned above. It is possible to spot attacks coming through such headless browsers, using certain scripts that they employ. To take extra precautions, and protect further against vulnerabilities you should block access to headless browsers altogether.
Enforce IP Blacklisting
Despite having access to compromised credentials obtained from elsewhere, the IP addresses used by attackers to make credential stuffing attacks look legitimate may still be limited. So one way to take action against such attacks is to block or sandbox IPs that try to log into multiple accounts. This is also where log history comes in handy, which can be used to compare the last few IPs that were used for logging into an account with that of the suspicious IP.
Rate-Limit Non-Residential Traffic Sources
Another way to act against credential stuffing attacks is to apply strict rate limits for traffic coming from suspicious sources such as Amazon Web Services. These are in most cases bot traffic and rate limiting puts a cap on the number of requests to a website to block the flood of activity that could be typical of credential stuffing.
Avoid Using Email Addresses as User IDs
It is not unheard of for people to use their email addresses as user IDs at account logins. But this makes it easy for attackers to use credential stuffing as a tactic, since they can try using email IDs as usernames on multiple websites. Make it clear to your users that they should avoid using email addresses as account IDs or usernames or even prevent this by making it a criteria for account creation and login.
Enforce Strong Passwords
Another way to help protect against cyberattacks is to ensure all user accounts have strong passwords. The longer the password, the harder it is for hackers to crack. Making sure passwords are at least 8 characters in length, with a combination of letters, numbers, and symbols is a good way to do this.
Adopt Bot Detection and Management Tools
The most effective protection against credential stuffing is the use of a comprehensive bot detection and management service. These combine rate limiting with IP reputation databases to thwart suspicious login attempts while leaving the legitimate logins to go through as normal. CDNetworks offers Bot Shield, a cloud-based bot management solution that can identify malicious bot traffic including those from credential stuffing and send notifications for you to take immediate action.
Besides, some solutions such as CDNetworks Application Shield can also integrate web application firewall (WAF) with a content delivery network (CDN) to protect against credential stuffing attacks.