Do you know what 23andMe, Jason’s Deli, North Face, and Hot Topic have in common? They’ve all been breached by successful credential stuffing attacks in the last year!
An attack type that has gained prominence in recent years is credential stuffing. In this blog, we will explore what credential stuffing is, discuss current approaches to mitigate this type of attack, and their weaknesses. Additionally, we’ll share our insights on what needs to be.
What is Credential Stuffing?
Credential stuffing is a cyberattack in which attackers use stolen username and password combinations from one breach or data leak to gain unauthorized access to accounts across various websites and services. Unlike more sophisticated cyber attacks, credential stuffing leverages already stolen username-password pairs, applying them en masse in an attempt to breach multiple accounts.
This method exploits a common weakness: the tendency of users to reuse passwords across various online services. The process is relatively straightforward. Attackers use automated tools to rapidly test stolen credentials against websites and applications. This is typically done using bots, making it possible to test thousands, if not millions, of credentials in a short span of time.
Devastating Impact
The consequences of a breach for individuals may involve identity theft, financial loss, privacy invasion, bankruptcy and more. The impact on businesses are likely to be data breaches, loss of customer trust, financial penalties, loss of brand value and significant loss in revenue.
Few examples of high-profile data breaches where credential stuffing attacks were involved include:
- 23andMe (2023): 7 million genetic data records are supposed to be in possession of attackers. This breach is known to have involved credential stuffing techniques.
- Okta (2023): Hundreds of organizations potentially affected through a supply chain attack involving compromised credentials.
- Equifax (2017): Equifax, one of the major credit reporting agencies, experienced a breach in 2017 that exposed sensitive personal information of approximately 147 million Americans. While not a traditional credential stuffing attack, the stolen data could have been used to gain access to various accounts had individuals reused their passwords.
- Dropbox (2016): Dropbox announced that more than 68 million account credentials were compromised. This breach was traced back to reused passwords that were exposed in the LinkedIn data breach earlier that year
- LinkedIn (2012 and 2016): In 2012, LinkedIn suffered a massive data breach in which over 6.5 million hashed passwords were stolen and posted online. The breach resurfaced in 2016 when an additional 117 million LinkedIn login credentials were put up for sale on the dark web. Cybercriminals leveraged these stolen credentials for credential stuffing attacks on various platforms.
- Yahoo (2013 and 2014): Yahoo faced two major data breaches in 2013 and 2014, compromising over 1.5 billion user accounts in total. The stolen data, including usernames and passwords, was used in credential stuffing attacks on multiple online services.
- Adobe (2013): In 2013, Adobe fell victim to a data breach that exposed the login credentials of approximately 38 million users. Many users had reused their Adobe passwords on other sites, leading to a wave of credential stuffing attacks across the internet.
Limitations of Current Mitigation Techniques
Let us discuss some of the common methods that are used to mitigate credential stuffing attacks and their respective weaknesses.
- Strong Password Policy: Strict policies often lead users to create variations of the same password or write down passwords, which can be easily compromised. This leads to ‘password fatigue’, encouraging users to reuse passwords across different platforms, making them vulnerable to credential stuffing.
- Multi-Factor Authentication (MFA): While effective, MFA can be bypassed or compromised and its adoption is not universal due to inconvenience or lack of technical resources.
- Rate Limiting and Blocking: Attackers can circumvent these measures using IP address rotation and botnets, making it appear as though login attempts are coming from different locations and IPs.
- Behavior Analytics: This method requires significant data collection and analysis, which can be resource-intensive. It is often error prone with numerous false positives, blocking legitimate users, and privacy concerns.
- Blacklisted Compromised Credentials: This works for known compromised credentials. It does not prevent the use of credentials that have been stolen but not yet identified and listed.
- Awareness Training: Does not cannot guarantee compliance, plus you need to consider users who ignore best practices due to convenience or forgetfulness or are lazy.
- Web Application Firewalls or WAAP: Majority of legacy WAFs and WAAP are limited in scope and fail at stopping this attack.
There is no single technique that can solve for credential stuffing attacks. Rather a more holistic approach is required.
Battling the Credential Stuffing Menace: The Way Forward
Given the limitations of current methods in combating credential stuffing attacks, a more robust approach would involve a multi-layered strategy that includes the following.
- Detect and also prevent credential stuffing attacks
- Can detect brute force or forced browsing attempts that may be part of a credential stuffing attack.
- Leverages behavior-based detection for API abuse prevention, monitoring sessions for suspicious behaviors.
- Detects, monitors authentication endpoints for signs of such attacks.
- Integrates with common incident response, DevOps, orchestration and operations tools
- Uses automation to scale attack mitigation
- Works in-line and out-of-band providing the flexibility needed.
Adopting this comprehensive approach is essential for organizations to gain effective protection against credential stuffing attacks.
We offer a comprehensive solution to help you. Contact us now to get started.