Credential Stuffing
Credential stuffing is a type of multi-layer cyberattack that “stuffs” stolen usernames and passwords into systems to try to gain access. Criminals automate the credential stuffing process with scripts or applications. Sometimes the criminals who perpetrate the credential stuffing attack steal usernames and passwords, but increasingly batches of credentials are bought and sold on the dark web.
When a successful username and password pair is found, the criminal uses it for a number of nefarious purposes, such as:
- Conducting phishing attacks
- Gaining access to connected systems
- Launching a ransomware attack
- Making fraudulent purchases
- Stealing information
- Withdrawing money from accounts
How Credential Stuffing Occurs
As noted above, credential stuffing is a multi-layer attack, and the attacker generally follows these 3 steps:
- 1. Stealing a user’s credentials.
- 2. Launching a credential stuffing attack.
- 3. Taking advantage of unauthorized access to engage in additional nefarious activities.
While it is possible to conduct a credential stuffing attack manually, it would take too much time. Attackers commonly use software that automates the distribution of login requests from different IP addresses.
The key elements of a credential stuffing attack include:
- Breached credentials
Usernames and password pairs are stolen in a number of ways, including database vulnerabilities and malware. - Distributed botnets
Armies of unsuspecting systems are used to send login requests that are routed through proxy servers to avoid detection and IP blacklists. - Simulation software
Toolkits, often purchased on the dark web, are used to fool defensive security that could stop the credential stuffing attack, such as CAPTCHA solvers or anti-fingerprinting scripts.
Six signs of a credential stuffing attack are:
- 1. Noticing that login information is incorrect
- 2. Account locked due to “too many login attempts”
- 3. Pop-up messages or email notifications that password has been updated (without authorization)
- 4. Fraudulent charges or withdrawals
- 5. Account-related notices cease
- 6. Back-up email address and/or phone number changed (without knowledge)
What Makes Credential Stuffing Effective?
Credential stuffing is effective because many people use the same username and password for multiple systems and applications. When a credential stuffing attack identifies a viable username and password pair, it is set aside for attacks on other systems.
Another reason for the efficacy of credential stuffing attacks is the vast database of username and password pairs that can be purchased on the dark web. Deployed using sophisticated botnets, credential stuffing attacks can be very successful and lucrative because of the prevalence of credential reuse.
What Are Credential Spills?
A credential spill usually is part of a data breach. Attackers steal username and password pairs for their own use or to sell on the dark web.
Credential Stuffing Incidents
- Restaurant
A series of credential stuffing attacks were launched against the restaurant’s user accounts. The credential information was believed to have been stolen in a prior data breach. - Bank
The bank suffered a data breach made possible by credential stuffing. The attackers stole names, account numbers, phone numbers, transaction histories, dates of birth, account balances, addresses, email addresses, and other information. While fewer than one percent of the bank’s 1.4 million customers in the U.S. were affected, the attack could have been much worse as the perpetrators gained privileged access to the bank’s systems. - Drugstore
This UK cosmetics retailer received a message that hackers had account data for 20,000 of its customers. The hackers had used credentials stolen from other organizations to uncover the usernames and passwords of customers. A subsequent investigation found that only a small set of credentials that had been acquired through credential stuffing rather than through a data breach. - Tax Preparer
Account holders were impacted by a credential stuffing attack that put the large amount of personal and financial data that the tax preparer manages at risk. A thorough investigation confirmed that other security flaws were not found, and attacks were the result of successful credential stuffing caused by users’ failure to use unique username and password pairs. - Ride-sharing
The UK’s Information Commissioner’s Office (ICO) found that an attacker used a ride sharing employee’s previously exposed credentials from other websites to access the company’s GitHub account. Once inside the GitHub account, the attacker found login details to the Amazon Web Service account, from which they stole data for 57 million Uber drivers and riders.
What Is Compromised Credential Checking?
To prevent credential stuffing attacks, checks can be performed to determine if credentials were part of known data breaches. Compromised credential checking (C3) services, such as HaveIBeenPwned (HIBP) and Google Password Checkup (GPC), offer APIs that can be used to determine if credentials may have been compromised.
Credential Stuffing vs. Brute Force Attacks
| Credential Stuffing | Brute Force Attacks |
| Tries to gain access with compromised credentials—stolen in a data breach or purchased from the dark web | Tries to crack the username and password of accounts through trial and error |
| Uses bots or automated scripts | Guesses are made using automated software |
| Relies on people having the same credentials across multiple applications and sites | Uses cracking “dictionaries” of common word combinations and insecure passwords |
How to Prevent Credential Stuffing
The best defense against credential stuffing is to avoid the threat completely by using unique and strong passwords for all applications and services. Unfortunately, this is difficult to control even when policies are in place, since users often have accounts that are not under the purview of IT.
Additional solutions to protect against credential stuffing attacks are to:
- Implement two-factor authentication (2FA) or multi-factor authentication (MFA)
- Knowledge based authentication—pre-registered security questions (such as mother’s maiden name)
- Possession based authentication —a device that users would have in their possession (e.g., a token or mobile device)
- Biometric authentication—a biological characteristic of an individual (e.g., fingerprint reader, facial recognition camera)
- Install a web application firewall (WAF) to monitor for and filter out attacks or suspicious activity
- Limit authentication requests and set up alerts when failed attempts exceed specified limits
- Require users to change passwords on a regular basis, and restrict usage of easily-guessed passwords like 123456 and password
- Use a compromised credential checking (C3) service or tool that detects compromised credentials during user authentication
One of the Few Easy Security Fixes
Many security threats are vexing and complex challenges, which makes them difficult to solve. Credential stuffing is one that is easy—for perpetrators to conduct and for victims to protect themselves against. With tools and databases readily available and inexpensive on the dark web, it is relatively simple for cyber-attackers to conduct credential stuffing attacks.
Avoid being a victim of a credential stuffing attack by using challenging passwords that are not replicated across other applications. Managing privileged credentials is easily addressed with low-cost password management tools.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 6th November, 2021
