Credential Stuffing Attacks Explained (and How to Prevent Them)

Updated: 2022-07-29 / Article by: Gene Fay
How Credential Stuffing Attacks Work

The key to knowing how to prevent credential stuffing attacks is to understand what they are, how they get carried out, and how they can affect your business and data.

Simply put, a credential stuffing attack is an automated matching of stolen user names and passwords that criminals can use to find valid login credential combinations. This approach drives account takeover attacks, and usually tends to precede them. Criminals need to access accounts first before they can take them over and use them for their own purposes.

Credential stuffing attacks make up a significant percentage of all online attack types, In fact, almost 5% of all digital traffic relates to these attacks.

The recent rise in credential stuffing attacks is due to an ongoing, and in some cases highly profitable, theft of consumers’ personal information through regular data breaches. Consumers who reuse and recycle passwords across their online accounts are particularly at risk.

Essentially, this means that if an attacker can access a single, valid user name and password combination in use by a single person across multiple online accounts, these accounts can all get compromised easily and within a relatively short time frame.

How Do Credential Stuffing Attacks Work?

There are three primary phases in any credential stuffing attack:

  1. Data harvesting
  2. Credential matching
  3. Monetization of an attack

Attackers often use bots to automate the credential validation process and find valid combinations of user names and passwords. These powerful bots can match thousands of passwords to user names to find valid combinations that can be used to gain unwanted access to digital accounts. This approach allows attackers to scale their efforts and increase their ROI while doing considerable damage to businesses and individuals alike.

How Common are Credential Stuffing Attacks?

These digital attacks are very common and prevalent across a wide range of industries and online domains. Sometimes they are even carried out by automated bots instead of human individuals. Highly advanced bots with artificial intelligence capabilities are easily and readily available to attackers, who can even access support services to assist them in their attacks. This technology makes it simple for attackers to execute large-scale attacks using bots at minimal cost to themselves.

Many attackers also know about basic fraud defense techniques, and can use this knowledge to circumnavigate and exploit technological systems to their benefit. Once they have breached a network, they can use bots to explore internally, stealing private data and disrupting businesses’ operations and security systems.

Understanding the Statistics

Free data breach notification platform HaveIBeenPwnd.com tracks more than 8.5 billion compromised credentials from over 400 data breach events. The service only tracks credentials from data sets that are open to the public or were distributed widely using underground platforms. Many database dumps are private, and only small hacking groups can gain access to them.

Credential stuffing attacks are supported by a complete underground economy centered on selling stolen credentials and custom support tools to help attackers in their efforts. These tools use ‘combo lists’ that get collated from different data sets after the hashed passwords found in leaked data sets get cracked. Essentially, launching credential stuffing attacks doesn’t require any specialized knowledge or skill. Anyone who has enough money to buy the data and tools they need can execute an attack.

Credential stuffing attacks have become cost-effective – for as low as $200 per 100,000 account takeover (source).

Security and content delivery firm Akamai discovered 193 billion credential stuffing attacks on a global scale in 2020 alone. This number came as a 360% increase over 2019’s figures. Although some of this increase can be attributed to more extensive monitoring of more customers. Some industries, such as the financial services industry, were targeted especially often. Akamai’s May 2021 report cited several spikes in the volumes of these attacks, including a single day in late 2020 that saw more than a billion attacks launched.

How to Spot Attacks

Credential stuffing attacks are launched through automated tools and botnets that allow the use of proxies that distribute rogue requests across a number of different IP addresses. Attackers also often configure their tools of choice to mimic authentic user agents – the headers which identify the operating systems and browsers that web requests consist of.

This all makes it challenging to distinguish between attacks and true login attempts. Especially on websites with high levels of traffic on which a sudden wave of login requests does not stand out from usual login behavior. With this said, an increase in login failure rates over a short time period can indicate that a credential stuffing attack has been launched against a website.

There are many web application firewalls and similar services that use advanced behavioral diagnostics to detect suspicious login behaviors. Plus, website owners can take measures of their own to prevent future attacks.

Read More

How to Prevent Credential Stuffing Attacks

Are you a robot?

Credential stuffing attacks are one of the most significant threats to internet users’ digital accounts today, and this applies to businesses as well. Organizations, small businesses, and everyone in between should take protective measures against these threats to ensure that their personal and organizational data is secure.

Some of the most popular credential stuffing prevention techniques include:

  • CAPTCHAs
    CAPTCHAs are a form of common bot used to prevent attacks driven by other bots. They require internet users to solve puzzles upon login to ensure that they are human. CAPTCHAs are available in a variety of versions, including picture, text, audio, mathematical sum, and more.
  • Behavioral biometric logins
    Some businesses have resorted to analyzing typical user behavior and patterns of web traffic in order to detect threats. They can use this data to spot anomalous behaviors and possible exploitation of their systems.
  • IP address blocking
    Many businesses have blocked IP addresses due to suspicious activity, and others choose to quarantine suspicious requests until they can be reviewed and verified.
  • Two-factor and multi-factor authentication
    2FA and MFA provide additional layers of security and authentication using additional information that only the user should know or have access to. This authentication can come in the form of one-time PINs, SMSes, security questions, or biometric readings such as a fingerprint or facial scan.
  • Device intelligence and fingerprinting
    Device intelligence consists of data such as operating systems, IP addresses, browser types and more. This data helps to create a unique identity that can be linked to a specific device. Deviation from this typical data can flag suspicious behaviors and allow businesses and people to act proactively and introduce more authentication measures.
  • Password and security hygiene
    Password hygiene should be part of every business’s security awareness training for staff members. Password reuse is the primary enabler of credential stuffing attacks, so businesses need to discourage this practice and ensure that their staff know how important it is to use strong and unique passwords, both at work and in their own personal capacities.
    Web users can use secure password managers to generate complex and unpredictable passwords for every online account they have. Password managers will automatically store these passwords, and may also notify users if their email addresses appear in public data dumps.

Some larger companies have started to take proactive measures by analyzing and monitoring public data dumps to see if the impacted email addresses are present in their own systems too. For accounts that are found on their servers, they require password resets and suggest enabling multi-factor authentication to protect consumers whose data may already have gotten compromised.

How Effective are These Preventative Measures?

Many businesses use one or several of the defense methods mentioned above to protect themselves and their data from credential stuffing attacks. However, these approaches are not 100% effective. They present shortcomings that prove only partially effective in providing ongoing protection against evolving attacks.

These preventative measures pose integration challenges and add to technical costs, all while complicating risk-decisioning, which can further hinder fraud prevention efforts. For example, multi-factor authentication is both costly to implement and prone to delayed or lost SMSes and OTPs.

Likewise, blocking IP addresses based on behavior changes can lead to businesses unwittingly blocking legitimate customers and leads. Device intelligence cannot be used as a standalone security solution, as most users today have many devices and browsers installed. CAPTCHAs have fallen behind constantly-changing bot technologies. They are rapidly being rendered ineffective as they often hinder internet users unnecessarily without stopping attacks.

The Takeaway: Deterrence is the Key

In an age where the problem of credential stuffing attacks is a growing threat, businesses of all sizes will battle to balance expanding remediation costs with effective security measures that produce a viable ROI. These attacks are extremely affordable to attackers. But they can leave businesses crippled under financial losses and reputational damage.

In short, mitigation of credential stuffing attacks may not be enough to guard businesses against harm. They must instead focus on deterring criminals in order to keep their data secure. An innovative approach to fraud deterrence is needed to provide organizations with lasting protection as attack methods continue to evolve.

According to the aforementioned Akamai State of the Internet report, credential stuffing attacks aren’t going anywhere. Since they cannot be stopped entirely, businesses should aim to make the process of obtaining matching user names and passwords as challenging as possible. Reducing password reuse and encouraging the creation of strong passwords are some of the most effective and affordable deterrents available to businesses across sectors.

Read More

About Gene Fay

Gene Fay is an experienced high-tech executive with a demonstrated history of success working in information technology. Skilled in Cyber Security, Storage Area Network (SAN), Sales, Professional Services, and Data Center. Strong information technology professional with an MBA focused on High Technology from Northeastern University - Graduate School of Business Administration. He is also the host of the eXecutive Security Podcast, a podcast featuring conversations with CISOs and other security leaders on how individuals can enter into and grow careers in security.