What is Credential Stuffing?

Malware often gets top billing in mainstream news reporting of cyber-threats. It makes for snappy headlines and a compelling narrative—–but it’s not the whole story. Increasingly, organisations are finding customers exposed to malware-free account takeover attacks, which could result in serious data theft.

There are several ways hackers can takeover accounts, from password spraying to session hijacking and phishing. Credential stuffing is among the most successful of these hacking techniques, and it’s on the rise. It’s a problem estimated to cost US firms alone over $5bn per year. However, with simple measures like adaptive multi-factor authentication (MFA), companies can mitigate risk and protect their sensitive data.

How does credential stuffing occur?

Credential stuffing is a kind of brute-force attack in which hackers take large volumes of stolen or breached logins and use automated tools to try them out en masse to see if they can crack open other accounts.

Customers of organisations across various industries including technology, retail, food, and even online dating have been hit with credential stuffing attacks over the first few months of 2019 alone. These exposed customer credentials pose additional risk to other organisations where those individuals might have accounts and use the same login details.

Credential stuffing is made possible thanks to three interlinked factors:

Poor password policies

Maintaining good password hygiene is critical for security. Allowing users to continue to use the same password for extended periods of time worked just fine in an era before mass data breaches, sophisticated automation, and the thriving cybercrime economy—a time when users only had a small number of online accounts to secure. Today, however, the odds are increasingly stacked in the hackers’ favour. If there are no other barriers to entry, like MFA, it’s relatively straightforward for an attacker to unlock user accounts by obtaining these credentials. Today, security teams must do better than rely entirely on passwords.

Credential breaches

Credential stuffers are getting their passwords from the dark web, which hosts a massive collection of breached data. Some of the biggest breaches ever recorded happened in 2018, including Marriott International (383 million users impacted) and MyFitnessPal (150 million). The trend continues in 2019. As of February 5, there have already been 86 recorded breaches exposing over 370,000 records.

The cybercrime underground is awash with collections of aggregated data from such breaches. One stand-out trove, dubbed “Collection #1-5”, is said to contain over 2.2 billion unique usernames and passwords. Even if these credentials are stolen from organisations in their encrypted form, automated cracking tools can sometimes make unscrambling the data pretty straightforward. That’s when they’re ready for stuffing.

Password reuse

The final factor relates to the users themselves. If every employee used a unique, strong password for each account, it would help prevent a credential stuffing attack on the company they subscribe to. In today’s digital-centric world this is simply not possible, as the average person manages at least 130 accounts.

In the face of this volume of credentials, many users resort easy-to-guess logins, which they reuse across multiple accounts. Thus, when one is breached, all accounts become exposed to the credential stuffing threat.

How it’s done: Botnets and brute forcing

The driving force behind credential stuffing and other brute force techniques is the botnet: a network of compromised computers. The recent explosion in unsecured IoT devices has made it even easier for hackers to amass such networks. These run automated scripts to try large volumes of stolen credentials simultaneously across multiple services and platforms. Using a “low-and-slow” approach, botnets ensure account attempts aren’t made too frequently, and they incorporate proxy lists so that requests come from different IPs—both to avoid setting off internal alarms at the target.

The time between an initial breach and its public notification is a crucial window for credential stuffers to do damage. Before credentials are distributed on the dark web, attackers typically milk the credentials to commit as many account takeovers as possible. Once they accomplish this goal, they then sell the credentials on the dark web for any residual value.

For organisations, observing the dark web marketplace to catch when credentials are illegally distributed is too late. But unfortunately, due to companies not having the appropriate measures in place to identify and act on these attacks early, this window is estimated to be as long as 15 months.

What’s the impact?

Although credential stuffing success rates may be little more than 1%, a hacker trying millions of passwords will still get a decent ROI. The resulting account takeover could provide attackers with valuable corporate info, or an opportunity to launch the next stage of a more serious breach by using the account to target privileged account holders with spear-phishing emails. A resulting breach could hit corporate reputation and the bottom line hard.

How can I protect my users?

Organisations must consider a better approach to user authentication. Ideally, this would entail getting rid of passwords altogether, and instead leveraging technologies such as Webauthn. If this isn’t feasible, organisations should employ a strict authentication framework that includes a comprehensive password policy and a secure system for password and account recovery.

As an added layer of security, Okta’s Adaptive MFA solution monitors a wide range of login data including device, geography, time of day, and IP address, to assign each attempt a risk score. A low score may allow password-only authentication, whilst a higher number may require an additional factor, like a one-time-passcode. In this way, high-risk credential stuffing attempts are blocked as the hacker will not have access to the second factor. This helps companies mitigate the risk of account takeovers.

Learn more

Read 3 Ways to Stop Account Takeovers to learn more about additional steps you can take to keep your employee accounts secure.

Watch the webinar: Stop Account Takeovers and Identity Attacks