Credential stuffing has been dominating the headlines in recent years and has fast become the attack method of choice used by cybercriminals.
Between January 1, 2018, and December 31, 2019, Akamai Technologies recorded more than 88 billion credential stuffing attacks across all industries. This figure is only expected to rise with the increase in data breaches and the massive shift to online services during the Covid-19 pandemic.
Credential stuffing attacks occur when criminals use large amounts of stolen usernames and passwords to fraudulently gain access to user accounts. This information is typically obtained on the dark web as a result of one of the many corporate data breaches.
Using large scale bots and specialist automation tools, hackers can then use these stolen credentials to attempt multiple login requests across various sites. This type of attack is relatively easy to execute and relies heavily on people reusing the same password.
It’s really a type of brute force attack, but instead of guessing random password combinations, it uses legitimate credentials, thereby improving the overall success rate.
Like most cyber attacks, the primary motivation is financial. Hackers will attempt to monetise compromised accounts by gaining access to linked bank accounts, or they will use the personal data to commit identity theft.
What’s Fuelling the Growth in Credential Stuffing Attacks?
Quite simply, it’s the billions of compromised credentials that are readily available to buy on the dark web. The website HaveIBeenPwned.com tracks over 8.5 billion compromised credentials from over 400 data breaches, and some of these breaches are absolutely colossal.
The most notable example of this is the Collection #1 mega breach. The breach came to light in 2019, exposing 1.2 billion unique email addresses and password combinations, 773 million unique email addresses, and 21 million passwords.
This easy access to vast amounts of data enables hackers to test millions of different email and password combinations in the hope that users will have reused the same password.
The increasing sophistication of the tools that hackers are now using to launch these attacks has also made it easier to attempt multiple login attempts whilst appearing to originate from different IP addresses.
What Industries are Affected by Credential Stuffing Attacks?
All industries are targets for credential stuffing attacks, but some are more susceptible than others. The most heavily targeted include e-commerce, retail, financial services, entertainment, higher education and healthcare services.
The financial services industry has been hit particularly hard, and in September of this year, the FBI issued a warning to organisations in the financial sector about the spike in credential stuffing attacks. The agency found that 41% of all financial sector attacks between 2017 and 2020 were due to credential stuffing, resulting in the loss of millions of dollars.
These types of attacks can have devastating consequences for businesses including; loss of revenue, operational downtime, reputational damage, financial penalties and loss of customers.
Examples of Recent Credential Stuffing Attacks
There’s been a notable increase in the number of data breaches resulting from credential attacks. Some recent examples include:
- Dunkin Donuts – In February 2019, Dunkin Donuts confirmed that it had suffered a credential stuffing attack, the second to take place within the space of three months. In both attacks, hackers used stolen credentials that were leaked from other sites to gain access to DD Perks reward accounts. Once in, they were able to access users’ first and last names, email address, DD Perks account numbers and the DD Perks QR code. In this specific attack, it wasn’t the user’s personal information that the hackers were after, it was the account itself, which they then sold on the dark web.
- Nintendo – In April 2020, Nintendo announced that 160,000 accounts had been breached in a credential stuffing attack. Using previously exposed user IDs and passwords, hackers were able to gain access to user accounts, enabling them to purchase digital items using stored cards. They were also able to view sensitive data including name, email address, date of birth, gender, and country.
How to Prevent Credential Stuffing
Strong Password Security
We all know the importance of using strong and unique passwords, yet according to a recent security survey by Google, 65% of people use the same password across multiple accounts.
This is an extremely risky practice as credential stuffing attacks rely heavily on us using the same old reused passwords. It may be something you keep meaning to get around to, but it’s worth doing a digital clean up and creating unique passwords for each of your online accounts.
A great way to create a longer and more complex password is to use a passphrase. A passphrase is a sentence like string of words that is memorable to you but difficult for anyone else to crack. The first letter of each word will form the basis of your password and letters can be substituted with numbers and symbols to make it even more secure.
Use a Password Manager
If the thought of remembering multiple passwords fills you with dread, then a password manager may be the solution. A password manager provides a centralised and encrypted location that will keep a record of all your passwords safe.
Password managers store login details for all the websites that you use and then logs you in automatically each time you return to a site. The first step when using a password manager is to create a master password. The master password will control access to your entire password database. This password is the only one you will have to remember so it’s important to make this as strong and secure as possible.
Password managers can also protect against phishing attacks as they fill in account information based on your registered web addresses. This means that if you think you’re on your bank’s website, but the password manager doesn’t automatically log you in, you may have inadvertently strayed onto a phishing site.
Implement Multi-Factor Authentication
Multi-factor authentication, otherwise known as MFA, is one of the best ways to protect the security of your online accounts. In fact, according to Microsoft, your account is more than 99.9% less likely to be compromised if you use MFA.
Rather than just confirming your identity with a simple username and password, you will have to provide two or more authenticating factors which only you can access. This reduces the chance of a hacker being able to gain easy access to your accounts.
There are lots of different authentication technologies that can be used to confirm your identity and these are usually based on; something you know, something you have, or something you are.
Some of these verification methods are undoubtedly more secure than others but essentially it means that even if someone steals or guesses your password, they won’t be able to access your account without another authenticating factor.
Monitor and Block Suspicious Login Attempts
When hackers attempt to compromise accounts via credential stuffing, they often use bots or other automated tools to input thousands of credentials in quick succession. These are usually spread across multiple IP addresses, which makes it difficult to determine if they are legitimate login attempts or signs of a coordinated attack.
However, if there are several failed login attempts over a relatively short period of time, this can be a sign that a credential stuffing attack is taking place. To prevent this from happening, IT departments can set a limit on the number of login attempts that any single IP address can make within a certain time frame. They can also track logins that result in fraud and blacklist these IP addresses.