What is credential stuffing?
Credential stuffing is the automated use of collected usernames and passwords to gain fraudulent access to user accounts. Billions of login credentials have landed in the hands of hackers over the past several years as a result of data breaches. These credentials fuel the underground economy and are used for everything from spam to phishing and account takeovers. Credential stuffing attacks are one of the most common ways cybercriminals abuse stolen usernames and passwords.
This is a brute-force attack technique, but instead of trying to guess passwords using “dictionaries” of common word combinations, attackers use lists of known valid credentials obtained from data breaches. The result is attacks that are much easier to execute and have a higher success rate because a large number of people continue to reuse their passwords across different websites, so credentials stolen from a low-profile website have a high chance of working on services that hold more sensitive data.
Credential stuffing statistics
HaveIBeenPwned.com (HIBP), a free data breach notification service run by security researcher Troy Hunt, tracks over 8.5 billion compromised credentials from over 410 data beaches. The service only includes credentials from data sets that are public or have been widely distributed on underground forums, but many database dumps have remained private and are only available to small groups of hackers.
An entire underground economy based on selling stolen credentials and specialized tools supports automated credential stuffing attacks. These tools use so-called “combo lists” that have been put together from different data sets after the hashed passwords found in leaked databases have been cracked. This means that launching such attacks does not require any special skills or knowledge and can be done by virtually anyone who has a few hundred dollars to buy the tools and data.
In 2020, security and content delivery company Akamai detected 193 billion credential stuffing attacks globally. This represents a 360% increase over 2019, although some of that increase corresponds to a larger number of Akamai customers monitored. Some industries were more heavily targeted than others—for example, the financial services industry alone experienced 3.45 billion credential stuffing attacks.
Akamai’s report, released in May 2021, noted several spikes in credential stuffing attack volume, including one day in late 2020 that saw over a billion attacks, that its authors linked to events occurring in the criminal economy. “Millions of new usernames and passwords, tied to several notable incidents in Q1 and Q2 of 2020, as well as some in Q3, started circulating among criminals on several forums. Once these compromised credentials were in circulation, they were sorted and tested against brands across the internet, including several financial institutions,” the report said.
How to detect credential stuffing
Credential stuffing attacks are launched through botnets and automated tools that support the use of proxies that distribute the rogue requests across different IP addresses. Furthermore, attackers often configure their tools to mimic legitimate user agents—the headers that identify the browsers and operating systems web requests are made from.
All this makes it very hard for defenders to differentiate between attacks and legitimate login attempts, especially on high-traffic websites where a sudden influx of login requests doesn’t stand out as unusual. That said, an increase in the login failure rate over a short period of time can be a telltale sign that a credential stuffing attack is in progress.
While some commercial web application firewalls and services use more advanced behavioral techniques to detect suspicious login attempts, website owners can take measures to prevent such attacks.
How to prevent and mitigate credential stuffing
One effective mitigation is to implement and encourage the use of multi-factor authentication (MFA). Even though some automated phishing and account takeover tools can bypass MFA, those attacks require more resources and are harder to pull off en masse than credential stuffing.
Since MFA has a usability cost, many organizations provide it as an option that users have to turn on rather than actually enforcing it. If making MFA mandatory for all user accounts is considered too disruptive for business, a compromise is to automatically enable it for users who are determined to be at greater risk, for example after an unusually large number of failed login attempts on their accounts.
Large companies have also started to be proactive by monitoring public data dumps and checking to see if the impacted email addresses also exist in their systems. For those accounts that are found on their services, even though they were compromised elsewhere, they force password resets and strongly suggest enabling MFA.
Companies that want to monitor if accounts set up by their employees with their work emails were impacted by external breaches can use services like HIBP to set up alerts for their entire domain names. HIBP’s public API has even been used to develop scripts in various programming languages that can be integrated into websites or mobile apps.
Finally, password hygiene should be part of any company’s security awareness training for employees. Password reuse is what enables credential stuffing attacks so this practice should be strongly discouraged, both at work and at home.
Users can use password managers to generate unique and complex passwords for every online account without having to remember them. Some of these applications even notify users automatically if their email addresses are detected in public data dumps.
“Credential stuffing isn’t going anywhere,” Akamai concluded in its State of the Internet report. “Since it can’t be stopped outright, the goal should be making the process of obtaining credentials as difficult as possible. Weak passwords and password reuse are the bane of account security; it doesn’t matter if we’re talking about gaming, retail, media and entertainment, or any other industry. If a password is weak or reused across multiple accounts, it will eventually be compromised. Awareness around these facts needs to increase, as does the promotion of password managers and multi-factor authentication.”