When we talk about credential stuffing we are referring to a cyber attack technique that exploits stolen credentials to obtain access privileges to websites and/or web services.
In reality, it is a rather complex form of aggression compared to the simplicity of its definition, whose author, to decipher sensitive data, does not make use of the “brute force” method – based on the dynamics of “trials and errors” – nor guess, but automate logins for large numbers (thousands to millions) of previously discovered pairs of credentials.
But let’s dive deep into the nature of credential stuffing, how it’s conducted, and how you can defend yourself.
What is a credential stuffing attack
In credential stuffing, in reality, the attacker takes advantage of a wrong habit on the part of users, namely that of using the same credentials (username and password) over and over again to access different portals, applications and web services.
And these credentials – already in the attacker’s possession – are used to gain unauthorized access to user accounts through automated requests . What does it actually mean? That the hacker automates logins for a large number of users.
We remind you that the author of the credential stuffing works on the basis of a real username/password archive collected on the net using various tools, including – just to mention a few examples – Google dorks (search queries entered into a research, in order to obtain specific results), phishing and even information provided by criminal hacking organizations.
These archives contain millions – and in some cases billions – of login credentials, with which the attacker can achieve up to a thousand successfully decrypted accounts. And if even a small percentage of these are able to provide useful data (for example, credit card numbers), the attack is successful.
The purpose of credential stuffing, in fact, is to be able to gain access to other data present in the hacked account, including – in fact – the credit card number, the user’s address, any stored documents and his/her contacts. All valuable data, from which you can make enormous profit.
From a technical point of view, among the tools that allow you to implement a cyber attack of this type, we remember the list of access data, the list of online services that you intend to target, a technique suitable for using a large number of different IP addresses as senders and, finally, a bot, or a program that automatically tries to access the chosen online services.
Using these bots, it is possible to attempt one access after another to an online service, continuously changing the IP address of the sender, so that the destination server does not block the attempts when the number of failed ones exceeds a certain threshold .
Once the login is successful, the bot can access the data and information mentioned above. We add, then, that all stolen access data are saved for their possible later use.
Compared to hacking methods such as brute force and social engineering, credential stuffing is considered more timely and effective.
In particular, the first method – which we will discuss in more detail later – requires a greater number of access attempts, since it is based on completely random and non-existent password combinations.
While social engineering limits the attack to a single platform, as it is unable to target hundreds of different online services simultaneously.
How it is conducted: some practical examples
Therefore, the credential stuffers first capture the details of the stolen accounts and then implement the necessary bots to automate access to many other accounts using the same credentials. And, having found a way to access it, they compromise the account by making fraudulent purchases or by stealing confidential information and data.
Furthermore, in the event that companies fall into the network of this type of cyber attack, another dangerous consequence is given by the fact that the servers that manage the website, applications for smart working and employee access find themselves manage excessive data traffic, with consequences on productivity, prompting IT managers to resize the network infrastructure, with an increase in costs that could significantly affect the company’s budget.
A rather well-known example of credential stuffing is the one that, in 2018, involved thousands of TeamViewer and Dropbox accounts, on which numerous unauthorized accesses were recorded, made using the billion and a half credentials stolen during a data breach fell victim to Yahoo during the same year.
This type of cyber attack, however – as anticipated – is not limited to stealing user credentials, but aims to obtain other data about the victim. Two emblematic incidents, which took place in 2018 and 2016, are an example of this. In the first, a UK beauty products retailer ( Superdrug) was hit , targeted with an attempted blackmail: hackers stole 20 thousand user accounts with the aim of collecting information of all kinds.
And two years earlier – precisely in October 2016 – another credential stuffing attack succeeded, by hijacking the accounts of twelve employees, to gain access to a repository of a private GitHub used by Uber , thus reaching 32 million users and 3.7 million drivers, with related sensitive data and private information.
The phenomena described represent a threat, unfortunately, growing, both for individuals and for companies. This is confirmed by the data contained in the Credential Stuffing Report of F5 , which highlight a doubling of the theft of access credentials between 2016 and 2020. Indeed, in 2020 alone, the average size of these thefts grew by 234% compared to 2019.
And most worryingly highlighted in the report is the domino effect created by such attacks , as stolen credentials are resold to fund phishing campaigns, malware attacks and ransomware .
Credential Stuffing vs. Brute Force
OWASP – Open Web Application Security Project, an international organization dedicated to the security of Web applications – places the theft and illicit use of credentials in the subset of “brute force attacks”, also called Brute Force attacks.
Going deeper, though, credential stuffing differs from traditional brute force attacks.
The latter, in fact, try to “guess” passwords, without reference context or clues, but resorting to random characters sometimes mixed with suggestions of common passwords. Where, instead, credential stuffing relies on exposed data, drastically reducing the number of correct answers.
And if a good defense against Brute Force is a complex password – made up of several characters, including capital letters, numbers and special characters – this, on the other hand, does not protect against the attack of theft and illicit use of credentials, because, if it is shared between different accounts, credential stuffing can still compromise it.
Unlike a brute-force attack, credential stuffing does not force any passwords . In this case, the attacker attempts to log in to a Web service by trial and error, drawing on previously discovered pairs of credentials and automating the entire process.
How to defend yourself
As already mentioned, credential stuffing does not have the only objective of reaching the username-password combination, but aims – through real ” attack campaigns” – to obtain access to other sensitive (and precious) data contained in hacked accounts. Hence, in order to carry out prevention, it becomes necessary to implement multiple levels of security and define precise corporate policies.
First of all, unique passwords should always be used – that is, not linked to personal information and, therefore, easily traceable to the user – for each different service. In fact, if you always use unique passwords, credential stuffing won’t work on your accounts.
And, as an additional security measure, two-factor authentication should always be enabled, a preventive measure by which the login takes place not only with an access password, but also with a second authentication factor, for example a code sent to a smartphone , the answer to a personal question or the use of disposable temporary codes.
As regards, however, the prevention of the risk of credential stuffing to the detriment of companies, the discussion is more complex. In line with what is expressed in the GDPR – General Data Protection Regulation regarding the protection of personal data, the policy on the matter should first of all provide for the creation of a blacklist to block suspicious IP addresses, the planning of adding a log to the web-based application or referring website and the implementation of a web application security system.
With regard, then, to the awareness of employees and collaborators, the IT security manager of the company must be able to recommend the creation of unique passwords.
The advice – if you use a company account – is to create complex passwords, which are never the same as those used internally, not to use the company account for private purposes – with an absolute ban on accessing personal mail from company clients – and to also differentiate the corporate username ID, so that it is impossible to find a link between the two accounts.
Enabling additional security measures to protect logins – including, for example, two-factor authentication and requiring users to fill in captchas during login – also helps mitigate credential stuffing and block logins. malicious bots.
Furthermore, when the organization suffers a credential stuffing attack, it is good that a procedure is followed with the correct activities to be performed, including understanding the origin of the attack and limiting its negative effects, examining the log files and activate all the subjects who will have to cooperate in the management of the incident.
Secondly, it is necessary to inform all users, ask them to replace the password on the site under attack and on all other sites on which the same credentials are used and to block credit cards, in order to make the data unusable that are contained therein.
Finally, the GDPR – pursuant to art. 33 – provides for the registration of the accident within 72 hours with the communication to the Supervisory Authority.
