How credential stuffing works (and how to stop it)


In December 2022, Norton users were put on high alert after threat actors compromised the security application with a credential-stuffing attack. Norton’s security team locked down about 925,000 accounts after detecting a suspicious flurry of login attempts from Norton Password Manager users.

After the investigation, news broke that the cyber criminals successfully cracked the codes to “thousands of accounts,” which put the personal information of the users at risk.

Credential stuffing attacks make up 34% of all login attempts, as malicious actors attempt to take over your account. But just how does it work, and what can we do to stop these campaigns? Let’s find out.

What is a credential stuffing attack, and how does it work?

Credential stuffing is a common cyberattack where actors use automated software to rapidly test lists of stolen login credentials to gain unauthorized access to online accounts.

So, how does credential stuffing work? Attackers take the following steps:

  1. Buy or download a list of usernames and passwords from the dark web. These data sets are sold on illicit marketplaces after a data breach.

  2. Set up automated bots to attempt logins to multiple user accounts. The bots can evade detection by masking their IP addresses.

  3. Gain access to accounts whenever the bots find a match. At that point, the attackers can steal personal information, like credit card numbers or social security numbers.

  4. Monitor the bots as they try successful password combinations to access other accounts. As 65% of people rely on the same password for multiple accounts, there is a high chance of cracking multiple accounts with the same password pair.

What’s the difference between credential stuffing and brute force attacks?

A brute force attack is another attack method with a few subtle differences from credential stuffing.

In credential stuffing, attackers make login attempts using leaked or stolen password data from real accounts. But in brute force attacks, attackers attempt logins by guessing commonly used passwords and dictionaries of common passphrases.

Also, credential-stuffing threat actors know they have genuine credentials and simply need to find a matching account. Whereas anyone trying a brute force attack won’t have any context about the correct credentials of the targets.

For that reason, brute-force attacks rely on blind luck or easy-to-guess passwords. Credential stuffing is a numbers game, but with automation, it can be highly profitable.

What are the consequences of credential stuffing?

For consumers who fall victim to credential stuffing attacks, there is a real risk the perpetrators could steal sensitive data, damage their financial reputation and target them with identity theft.

Here are six things to be aware of if you’re targeted by credential stuffing:

  1. Compromised accounts. If threat actors gain access, they could install spyware, steal or destroy data or impersonate the account holder to send spam or launch phishing attacks on other targets.

  2. Data leaks. Many attackers try to break into financial institutions or high-value government targets, as they can sell the data on illicit online marketplaces to identity thieves and gangs with political aims.

  3. Account lockouts. After too many failed login attempts, your account’s security system could lock you out. This may disrupt your business or restrict access to key accounts like email or banking.

  4. Ransomware demands. State-sponsored hacking groups may take control of a critical infrastructure facility or large enterprise to demand a ransom payment.

  5. Increased cybersecurity risks. Stolen user credentials can be used for future attacks, which puts victims and any closely related parties at greater risk after the initial breach.

  6. Negative impact on business reputation. Consumer trust will take a nosedive if your company suffers a breach. When thousands or millions of users feel the threat to their private data, it can cost a company on the stock market. The average cost of a data breach was $4.35 million in 2022.

3 recent examples of credential stuffing

1. July 2022, A Major Outdoor Apparel Company

Cyber criminals used credential stuffing to target this outdoor recreation apparel company. The attack compromised almost 200,000 customer accounts, exposing details including names, phone numbers, gender, purchase history, billing addresses and loyalty points. Soon after, the company sent out notification letters about the data breach, urging customers to change their passwords.

2. December 2022, A Large Payment Processing Company

An attack impacted almost 35,000 user accounts of this payment processor. While some personal data was exposed, the company reported no unauthorized transactions but the attack exposed names, social security numbers and tax identification numbers.

3. January 2023, A Prominent Fast Food Chain

This fast food chain confirmed a breach that accessed over 71,000 customer accounts. Threat actors conducted a credential stuffing attack for several months, gaining access to use customers’ reward balances. The stolen data may also have included physical addresses and the last four digits of customer credit cards.

What can security teams do to stop credential-stuffing attacks?

2022 saw a 45% year-on-year growth of credential stuffing attacks in the financial sector. As thriving companies build their platforms and attract more users, the potential gains become more tempting for nefarious cyber criminals.

Here are six steps security teams can take to combat this threat:

1. Implement multi-factor authentication (MFA).

By adding an extra layer of security to user accounts, you make it harder for threat actors to gain access. Even if someone has the right credentials, it’s unlikely they will also have your phone, hardware key or biometric data. Companies that use MFA internally can lock down their systems against credential stuffing.

2. Use password managers.

While there have been a few breaches at popular password managers lately, these applications remain a staple of modern digital security. Instead of relying on memory or simple, easy-to-guess passwords, everyone can use password managers to create and store long, unique, complex codes for every account and device.

3. Encourage better password practices.

Educating users with online content is good, but security teams must practice what they preach to protect consumer data. A proactive approach to eliminate password reuse, sharing codes or writing login information down on paper will reduce the chance of insider attacks.

4. Watch out for unusual behavior around login attempts.

A consistent monitoring approach can foil fraud. When you notice a sudden spike in login attempts or unusual patterns, you can block the IP address and warn legitimate users about the attempted hack. Encouraging compromised account owners to update their passwords will help break the attack lifecycle.

5. Use rate-limiting.

Another defensive mechanism is rate-limiting, which stops malicious bots from making too many login attempts in a short period. This security feature will stall progress on automated attacks and often thwart the actor’s ability to exploit an account or overwhelm the network with a Denial of Service (DoS) campaign.

6. Monitor the dark web.

Collection #1-5 contains 22 billion usernames and passwords, many of which are easily crackable with attacker dictionaries. To stay one step ahead of emerging cyber threats, your team should monitor the dark web for such collections and reinforce vulnerabilities before an attack happens.

Security teams must protect and educate users

Malicious actors can build an army of automated bots that run thousands or millions of fraudulent login requests a day. Auth0 detected almost 300 million credential stuffing attempts per day in early 2022.

To combat this growing threat, users must embrace good password practices and reliable password managers. But the real responsibility for data protection lies with website security teams and app providers.

If your team is going to disrupt the attack cycle and keep threat actors at bay, you need a multi-faceted approach that combines robust access control, threat monitoring and rate-limiting safeguards. Ultimately, the strongest defense is built on education and a culture of security.

The post How credential stuffing works (and how to stop it) appeared first on Security Intelligence.