Credential stuffing: Everything you need to know to avoid being a victim

Cyberattacks have soared to an all-time high as organizations of all sizes and individuals fall victim to a wide array of malware, spam, ransomware attacks, phishing campaigns, and other hacks. We often also come across several online accounts that are being hacked on digital platforms even though the companies state that their systems have not been compromised. How can this happen? It is because of a growing hacker technique called credential stuffing.

What is credential stuffing?

Credential stuffing is a straightforward strategy in which hackers collect a set of usernames and passwords from corporate breaches and try to stuff those usernames and passwords in several other digital media platforms. In this, attackers exploit the fact that many users have the same passwords for several digital platforms or sites. Billions of credentials have been stolen in recent years. These credentials are now fueling the hackers to exploit user’s personal information and subscriptions illegally using credential stuffing.

Credential stuffing
Shutterstock

Because most of us do not change passwords regularly — even after a data breach — cybercriminals can use credential stuffing for almost everything including spamming, phishing, and account takeovers, which can lead to ransomware being installed on your system. Credential stuffing has become one of the most common means for hackers to exploit and abuse stolen usernames and passwords.

How is credential stuffing different from brute-force attacks?

While credential stuffing itself is a specialized type of brute-force attack, it is much more effective. In brute-force, hackers try to guess the passwords using the “dictionaries” of common username and password combinations. As a result, the chance of success is lower. In credential stuffing, hackers already have valid user details obtained from a data breach. And they use these stolen credentials to access several other different sites, so credential stuffing is much more effective and harmful than typical brute-force attacks.

How does it work?

Attackers use botnets and automated scripts to perform credential stuffing. These bots are then paired with proxies that distribute these botnet attacks across different IP addresses, making them look genuine. Attackers also make and design these botnets to mimic authentic users such as setting them up with delayed inputs and responses.

Credential stuffing
Shutterstock

All of these methods and techniques make it difficult for traditional security prevention systems to detect these bots. Credential stuffing works more effectively on high-traffic websites where a sudden increase in user logins is usually considered normal.

The magnitude of credential stuffing

So, how big is the credential stuffing problem? HaveIBeenPwned is the largest free data breach notification service. The website has tracked over 8.5 billion compromised user accounts and credentials from over 410 different data breaches.

Akamai, one of the leading content delivery networks, observed a massive 61 billion credential stuffing attacks in just 18 months between January 2018 and June 2019. Akamai’s researchers also said that these attacks will grow even more significant due to low-cost tools available for hackers that can evade the traditional intrusion detection systems. Akamai explained that cybercriminals have crafted several applications that streamline and automate credential stuffing, making it possible even for low-skill cybercriminals to launch these attacks.

Staying safe: Users

As an end-user, we can never guarantee the security of our data in any of the service or company we store or use them. Therefore, the best way and the most straightforward approach for an end-user to protect themselves from credential stuffing is to use unique passwords on each account. While this might sound to be a complex process to adapt and manage, it is sure to safeguard your personal information from credential stuffing.

There are several password-managing tools and services available online that can be used to safeguard passwords. Most also have other security features such as two-factor or multifactor authentication and biometric locks.

It is also very important to change passwords at regular intervals. Do not stick to the password for more than a certain number of months if not weeks. It is because of these credential stuffing and other brute-force attacks that many online services are making it mandatory for users to change passwords regularly.

Staying safe: Companies

For companies, however, it is a much more complex story. Companies need to adopt strong security mechanisms to avoid data breaches. A company needs to enforce a policy that its users provide unique passwords and also change them on a timely basis. Companies can also provide added login security mechanisms such as captchas, two-factor or multifactor authentication, and password encryption. Companies can also use security methods such as device fingerprinting, IP blacklisting, and blocking headless browsers.

However, the strongest and most effective solution to prevent credential stuffing is to employ a bot management service. Bot management services can detect and prevent malicious bots from making login attempts into the services without impacting actual user logins. Companies need to deploy strong web application firewall systems and even a slight increase in the login failure rate must be thoroughly examined to prevent such attacks.

Featured image: Shutterstock

2 thoughts on “Credential stuffing: Everything you need to know to avoid being a victim”

  1. Back in the days when I worked on mainframes, and passwords were far simpler, one of the mechanisms to control hack attempts was to introduce a delay in responding to a login attempt.

    An incorrect login got a 1-second delay, which *doubled* with each unsuccessful attempt; it didn’t need many iterations to make any automated login impractical.

    The downside, of course, is that this could be used for a sort of DOS attack.

  2. Such an informative article Sukesh! It must have taken a lot of efforts to curate such a masterpience on this relevant topic. No doubt there has been a spike in credential stuffing attacks lately. For the same reason I too have been reading a lot about it and would like to share my knowledge too.

    Credential stuffing being the method of using a list of stolen credentials that were acquired during security breaches to access numerous sites, usually through automated tool. For organisations it is equivalent to brute force attack wherein the hacker can open a company’s database which carries millions of usernames, passwords, and other personally identifiable information. This can ultimately cause a lot of damage to the company both financially and in terms of customer trust as well.

    However, this can be easily prevented using black bots or implementing multi factor authentication or adopting strong passwords or using passwordless login and many more.

    I came across an article about the same, the link of which i ma leaving below:
    https://www.loginradius.com/blog/2019/09/prevent-credential-stuffing-attacks/

    I am going to share your article with my friends and colleagues. Till then keep up the good work Sukesh 🙂

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top