Main menu


The meaning and prevention of 'credential stuffing'

The meaning and prevention of 'credential stuffing'

"Security incidents, most of them start with this", the meaning and prevention of 'credential stuffing'

Credential stuffing refers to an attack that attempts to illegally access a user account by automatically substituting the collected user name and password. This method has led to data breaches of the past several years, resulting in billions of logins falling into the hands of hackers. These credentials fueled the underground economy and were used for everything from spam to phishing to account takeover. Credential stuffing attacks are one of the most common ways cybercriminals use stolen usernames and passwords.

This is a kind of brute force attack, but it differs in that it uses a list of known valid authentication information obtained from a data breach, rather than guessing a password using a 'dictionary' of common word combinations. Therefore, the attack is much easier and the success rate is higher. This is because many people reuse the same password for multiple websites. Credentials stolen from lesser-known websites are highly likely to be valid even for services with sensitive data.

The severity of the credential stuffing problem

, a free data breach notification service run by security researcher Troy Hunt, tracks more than 8.5 billion compromised credentials identified in more than 410 data breaches. The service only handles authentication information from data sets that have been widely disseminated or published in underground forums. However, many database dumps remain private, available only to a small group of hackers.

An entire underground economy based on the sale of stolen credentials and specialized tools supports automated credential stuffing attacks. These special tools use a so-called 'combo list' that is collected after decrypting the hashed passwords in the leaked database. This attack requires no special skills or knowledge, and virtually anyone can do it by paying hundreds of dollars to buy tools and data.

In the 17 months from November 2017 to the end of March 2019, security and content delivery company Akamai detected 55 billion credential stuffing attacks across dozens of verticals. Sectors such as gaming, retail, and media streaming have been hit harder than others, but no industry is an exception. In a report published in June, Akamai said , “Currently, attackers view credential abuse as a high-return and low-risk venture. These types of attacks will increase for some time to come.”

How to detect and mitigate

credential stuffing attacks Credential stuffing attacks are initiated through botnets and automated tools that support the use of proxies. A proxy distributes bogus requests across multiple IP addresses. Furthermore, attackers usually configure their tools to mimic legitimate user agents (software). For example, it forges header information that identifies the browser and operating system making the web request.

This makes it increasingly difficult to differentiate between hacking attacks and legitimate login attempts. This is especially true for high-traffic websites, as the sudden surge of login requests isn't marked as anomalous. Therefore, if the login failure rate increases for a short period of time, it may be a warning signal that a credential stuffing attack is in progress. Some commercial web application firewalls and services use more advanced behavioral techniques to detect suspicious login attempts. This allows website owners to take steps to prevent these attacks.

Another effective mitigation is the use of multi-factor authentication (MFA). Some automated phishing and account stealing tools can bypass multi-factor authentication, but this requires more resources and is more difficult to succeed than credential stuffing.

However, using multi-factor authentication costs money. Therefore, many companies offer this as an option that users can activate rather than actually enforce it. If mandatory multi-factor authentication for all user accounts is too disruptive to the business, there is a compromise of automatically enabling it only for users determined to be at high risk. For example, we're only targeting user accounts that have an unusually high rate of failed login attempts.

Some large enterprises have begun to take proactive steps to counter these threats, such as monitoring public data dumps and scanning systems for compromised email addresses. If such an account is found, it is strongly recommended to force password reset and implement multi-factor authentication, even if the account is compromised elsewhere. To monitor whether an employee's work email account has been compromised by an outsider, you can set up alerts for your company-wide domain name through a service like HIBP. HIBP's public API has been used to develop scripts in several programming languages, which can be integrated into websites or mobile apps.

Finally, password hygiene should be included in the company's employee security awareness training. Password reuse is what makes credential stuffing possible, and therefore should be taught to actively avoid it, whether at work or at home. One of the alternatives is a password manager. Create a unique and complex password for each online account, and users don't have to remember it. Some password managers also automatically notify users if their email address has been detected in public data dumps.

"Credential stuffing won't go away," Akamai said in the State of the Internet report. Since this cannot be definitely stopped, the process of obtaining authentication information should be made as difficult as possible. Bad passwords and password reuse are very big threats to account security. It does not discriminate in industries such as gaming, retail, media, and entertainment. If passwords are bad or reused across multiple accounts, they will eventually all be breached. This awareness of reality must spread, and password managers and multi-factor authentication must continue to be encouraged.”