What is Credential Stuffing?
If you’re an average Internet user (no shame in that, the writer of this article identifies similarly), you probably have a lot of online accounts. You also probably reuse usernames and passwords across many of these accounts. Unfortunately, if you nodded along with the previous two sentences, you will also probably be targeted by credential stuffing attacks.
Credential stuffing defined
Credential stuffing is a type of cyberattack where adversaries use credentials obtained from a data breach on one service and attempt to programmatically log in to other unrelated services. These attacks are based on the premise that people tend to reuse usernames and passwords across online accounts. If a credential stuffing attack is successful, the attacker can either sell the account access to another party or use it to carry out account takeover.
According to former Google click fraud czar Shuman Ghosemajumder, credential stuffing attacks have a success rate of up to 2% on major websites.
How credential stuffing works
Here’s how a typical credential stuffing attack looks in practice:
Attackers get hold of stolen usernames and passwords. Sadly, this is a relatively trivial exercise given the billions of leaked passwords present on the dark web and the continued success of phishing.
Attackers feed the stolen username-password combinations into a botnet, which is a network of Internet-connected devices controlled by the attacker. Botnets and automation magnify the scale and impact of credential stuffing.
The botnets simultaneously attempt to “stuff” stolen credentials on multiple website login forms in parallel.
If a login attempt is successful, attackers usually extract personally identifiable information, credit card details, and anything else that can be used for personal gain or follow-on compromise.
A successful credential stuffing attack presents many downstream opportunities for the attacker.
They can sell the stolen (and validated) login credentials online, with streaming and entertainment services being common victims.
They can enact e-commerce fraud by using saved payment details to complete high-value transactions, either for personal use or reselling.
They can change the password and other settings to essentially steal the user’s online identity by locking them out of their account.
If account takeover is successful, the attacker can use the victim’s account as a vector to carry out new scams. For example, this Facebook scam involved attackers asking for money by masquerading as the victim’s friend stranded in another country.
If the attacker gains access to a victim’s work account, they can get access to all manner of sensitive and confidential information which can be sold to the highest bidder or used to hold the company ransom. People often reuse passwords across personal and work accounts, making this a non-zero possibility.
Also read: Broken Authentication 101
Why credential stuffing is on the rise
Credential stuffing is not a new phenomenon, but these attacks have grown rapidly over recent years. The Akamai 2021 “State of the Internet” report cited 193 billion login attempts attributed to credential stuffing attempts.
A variety of market, technological, and societal factors have led to the continued growth of credential stuffing attacks:
The fallibility of passwords. Even though users know it’s not best practice, they tend to reuse passwords across multiple accounts out of a fear of forgetting them. This, combined with the fact that email addresses often double up as usernames, increases the chances of a victim’s stolen credentials for one website being successfully used to access other websites. Passwords being a form of knowledge-based authentication (i.e. something the user knows) inherently drives behaviors that lead to poor security hygiene.
Botnets. Today’s sophisticated botnets make credential stuffing more scalable and harder to detect. Bots can obfuscate or spoof their IP address to circumvent any security blocklists. They are also usually programmed to attempt login on a web application only once, allowing them to bypass any lockouts owing to repeated failed login attempts.
Low cost. The barrier to entry for procuring credentials and launching credential stuffing attacks is worryingly low. The prevalence of leaked passwords and stuffing tools mean that attackers just need a few hundred dollars and a few ounces of patience to strike digital gold.
Remote work. The rapid shift to remote work has led to everyone needing to have an expanded digital presence. Around 50% of surveyed respondents by LastPass had 50% more accounts in 2021 than they did in 2020. This further expands the available attack surface for perpetrators of credential stuffing.
Credential stuffing vs. brute force attacks
Credential stuffing is a subset of brute force attacks. While both these attacks follow some common themes, they have several noteworthy differences.
While credential stuffing attacks use stolen passwords to attempt logins, brute force attacks try to guess passwords by using dictionaries of common phrases or popular “boilerplate” passwords like Qwerty, 123abc, and Password.
The way bots are programmed in credential stuffing and brute force attacks also differ. While credential stuffing bots are programmed to try the same username-password combination across a variety of sites, brute force bots are programmed to try multiple username-password combinations on the same site.
Brute force attacks can be prevented by requiring users to have strong passwords, limiting the number of failed login attempts on a web property, or using CAPTCHA. Credential stuffing is not that easily prevented, unless the user has strong and unique passwords for every online account.
Despite the above differences, the big commonality between credential stuffing and brute force attacks is that they both exploit the inherent weakness of passwords as an authentication method. While brute force attacks are based on the premise that people use common phrases and strings as passwords, credential stuffing relies on the assumption that people reuse passwords across accounts.
Tips to prevent credential stuffing
Credential stuffing prevention is theoretically possible if people use unique passwords for every web application. However, the average person has 100 passwords to remember, making password reuse the most convenient (albeit unsafe) option. Password managers are another option – although one in five Americans use them, attackers just need access to one set of stolen credentials to negate the security they provide. There’s also the literal fear of forgetting the master password (or having it stolen), giving attackers access to all the victim’s login data.
Here are some measures organizations can follow to ensure that attackers cannot use stolen credentials to impersonate their users.
Using passwordless authentication can prevent credential stuffing at the source – if there are no passwords to steal or try on login forms, attackers will move on to their next target. Passwordless authentication verifies users with something they have (a device or security key) or something they are (biometrics) rather than something they know, almost eliminating credential stuffing in the process.
Passwordless authentication also improves the login experience for users and reduces overhead for organizations dealing with password storage and management as well as password reset processes.
For organizations not yet ready to move away from passwords altogether, implementing multi-factor authentication (MFA) is an effective way at containing the impact of credential stuffing attacks. MFA enforces an additional factor after the username-password combination has been entered. Whether this is a one-time password sent via SMS or email, or a biometric check with a fingerprint, the attacker will not have access to any of them.
While MFA prevents the attacker from gaining access to the user’s account, it does not prevent the attacker from knowing that the username-password combination was successful.
Organizations can use password hashing, which turns the password into a scrambled representation, before storing it in their databases. This will not prevent passwords from being stolen (or maybe even being descrambled), but it will increase the time window users have to change passwords on other accounts once a set of credentials have been stolen.
Breached password monitoring
Organizations can check entered credentials against databases of compromised credentials like haveibeenpwned to identify and stop credential stuffing in progress. If entered login details match credentials that have been breached, organizations can inform the user, ask them to change their password, or enact step-up authentication by requesting additional factors.