In the past few years, there have been several major data breaches including 540 million credentials from Facebook in 2019. As a result, there are now billions of stolen credentials in the hands of cybercriminals, a lot of them are being bought and sold in various forums. This is why credential stuffing attacks are now one of the most common cybersecurity threats today.
In this guide, we will discuss all you need to know about credential stuffing, examples of the credential stuffing attacks, and different ways to protect yourself—whether as an account holder or website owner— from credential stuffing attacks.
What is Credential Stuffing?
Credential stuffing is, in a nutshell, using acquired (mainly stolen) credentials like usernames and passwords to attempt to access other accounts on other websites or services. For example, when your Gmail account is compromised, a hacker might use your stolen credential to access your Facebook account. If you are using the same usernames and passwords on both accounts.
As we can see, credential stuffing relies on the fact that so many of us are using the same credentials for different accounts. So, stolen credentials from lower-profile websites and services have a high chance of working on bigger sites with more sensitive data (i.e. banking account).
A credential stuffing attack is technically a form of brute-force attack. A classic brute force attack attempts to guess usernames and passwords using common word combinations and rotating letter by letter. However, in a credential stuffing attack, the attacker is using a known valid credential, making the attack much easier to execute with a higher success rate and smaller risks of getting caught.
How Credential Stuffing Attacks Work
Here is a typical process of a credential stuffing attack:
- Setting up a bot that can automatically log in to multiple user accounts in parallel for each website/service. The bot might rotate between thousands of different IP addresses so it can be very difficult to detect via IP-based detection
- Automatically run through the stolen credentials database and check whether a credential works on the target websites. The bot runs this process in parallel to target multiple different sites (can be hundreds or thousands of followers)
- Check for successful logins and then attempt data theft on sensitive information like personally identifiable information, financial credentials (i.e. credit card information), and other valuable information
- Change the account’s credentials to make the hacker as the owner, and retain it for future use and/or to launch more severe attacks.
Example of Credential Stuffing Attacks
A hacker gained access to Uber’s data storage through a credential stuffing. The attacker used an Uber employee’s previously stolen credential to their GitHub account, which contains details to Amazon Web Service S3 account where Uber’s data was stored. As a result, 57 million credentials of Uber users were stolen.
Dunkin Donuts (2018-2019)
Dunkin Donuts reported a credential stuffing incident in November 2018 although the breach happened at the end of October. How many credentials stolen were undisclosed, but another attack was launched in February 2019 when the company was just starting to contain the damage of the previous incident.
Between the 4th and 14th of October, 2018, HSBC experienced a credential stuffing attack where the attackers successfully stole names, account numbers, transaction histories, email addresses, and phone numbers among other information. It is expected that less than one percent of the bank’s US customers are compromised in the attack.
In early 2019, Reddit suspected a credential stuffing attack and locked out users out of their account. To prevent further damages, Reddit locked users out of their accounts and forced them to reset their credentials.
The video hosting service was forced to completely shut down its service in January 2019 due to a massive credential stuffing attempt. Daily Motion also emailed a group of users and locked them out of their accounts while forcing them to reset their password.
How to Protect Yourself From Credential Stuffing
For users/account holders, you should use multi-factor authentication whenever allowed by the website/service. In a multi-factor authentication (MFA), the users are required to enter a secondary piece of information outside the usual username-password combination. So, even when their credentials are compromised, they won’t be enough to gain access.
Multi-factor authentication, however, will slow down the users from accessing their account and can hurt the overall user experience. So, further education is necessary and use them sparingly. For example, you can only ask for MFA when the user is performing a suspicious activity like accessing their account from a different IP address/location.
Strong and Unique Passwords for Each Account
Since credential stuffing relies on using previously compromised credentials, you can prevent credential stuffing attacks by using different passwords for each of your accounts. Admittedly it’s a common practice to use one go-to password for all accounts, but if you truly care about your digital privacy and security, make sure to use different passwords each time, and also make sure to always use strong passwords combining uppercase, lowercase, symbols, spaces, and numbers.
Thankfully nowadays there are various password manager tools that can help users create randomized, very strong passwords and ‘remember’ them. Also, today’s browsers (like Chrome) and iOS, Android devices offer their built-in password managers with the help of multi-factor authentication (i.e. Touch ID, Fingerprint in Android, etc.)
Advanced Detection System
Another approach in preventing credential stuffing attacks is to detect malicious login attempts and bot activities as early as possible. Credential stuffing is often performed with the help of a bot, and an anti-bot detection solution can significantly help in detecting and preventing credential stuffing attempts as early as possible.
Behavioral detection, fingerprinting, and AI-based technologies can be effective in detecting sophisticated 4th-gen bots that are often responsible for today’s large scale credential stuffing attack.
Credential stuffing is a relatively simple brute force technique, but at the same time, it is very difficult to detect and prevent. The most effective way of dealing with credential stuffing attacks is to educate users to keep their passwords as strong and diverse as possible, and also employ the use of multi-factor authentication.
However, having a proper detection system on the website can also help to block suspicious activities and to mitigate the damage of the attack as soon as possible.