Credential Stuffing

March 30, 2022

What is credential stuffing?

Credential stuffing is a cyberattack where cybercriminals use stolen login credentials from one system to attempt to access an unrelated system.

Credential stuffing attacks work on the premise that people often use the same user ID and password across multiple accounts. Therefore, possessing the credentials for one account may be able to grant access to other, unrelated account.

Why is credential stuffing on the rise?

Credential stuffing is a growing risk for several reasons:

  • Credential availability: In recent years, tens of billions of usernames and passwords have been stolen or leaked. These credentials are posted for purchase on digital marketplaces on the dark web. They can be used as the starting point for credential stuffing attacks, as well as a host of other cyberattacks.
  • Technology advances: Credential stuffing attacks leverage bots or other intelligent automation tools to attempt to login to several accounts in a matter of seconds. Because these bots are programmed to test a specific user ID and password combination, the tool only attempts to log in to a given system once. This allows the tool to bypass many traditional security measures, including those that block IP addresses that have too many failed login attempts.
  • Low barrier to entry: The level of technological skill required to launch a credential stuffing attack is extremely low, as is the cost. For as little as $50 USD, anyone with a computer can buy a compromised account on the dark web and launch a credential stuffing attack.
  • The shift to remote work: The COVID-19 pandemic accelerated the remote workforce trend and left many companies unprepared to defend a distributed network. Attackers have exploited this shift and are using account credentials from personal accounts to attempt to access business devices and services.
  • Difficulty to detect: In a successful credential stuffing attack, adversaries impersonate a legitimate user, such as an employee, contractor or even a third-party supplier. This, coupled with the absence of malware or other attack vectors, makes it extremely difficult to detect a credential stuffing attack through traditional cybersecurity defenses.

How does a credential stuffing attack work?

Credential stuffing attacks follow a relatively simple attack path:

1. Attackers leverage stolen account credentials or buy breached credentials via the dark web. These credentials are usually the result of a massive data breach or other cyberattack. In most cases, such information can be bought for very little money.

2. With the credentials for at least one online account in hand, the attacker then sets up a botnet or other automation tool to attempt to log into multiple unrelated accounts simultaneously. Usually, the bot has a feature which obscures or spoofs the IP address to avoid triggering security tools which may block foreign or unusual addresses.

3. The bot then checks to see if access was granted to any secondary services or accounts. In the event the login attempt was successful, the actor will gather additional information, such as personal data, stored credit card information or bank details. Fraudsters may also engage in a number of other scams or crimes, such as:

  • Selling access to compromised subscription accounts online, such as streaming services, media outlets, gaming platforms and more via the dark web
  • Purchasing goods or services using stored payment methods
  • Conducting an account takeover, which is when the adversary assumes control of the account and changes security settings, contact information and other details to carry out future activity with greater ease
  • Selling personal information obtained through the customer account to fuel phishing campaigns and support more advanced attack methods

In the event hackers are able to enter a corporate network through a compromised account, such as one belonging to an employee, contractor or vendor, they can use their time to move laterally, installing back doors, gaining knowledge about the system to use in future attacks, and, of course, stealing data. Since the actor is using legitimate account credentials, they appear to be a legitimate user, which makes it difficult to detect this activity through traditional security measures.

Credential Stuffing Attacks vs. Brute Force Attacks

Credential stuffing and brute-force attacks are similar in nature, but not the same.

A brute-force attack is when a threat actor tries to gain access to sensitive data and systems by systematically trying as many combinations of usernames and guessed passwords as possible.

Credential stuffing is similar to brute-force attack in that the adversary attempts to gain unauthorized access to the system. However, there are several key differences between the two:

Attack Specificity

In a brute-force attack, the threat actor attempts to gain access by guessing either the user ID, password or both. Most often, the attackers use commonly used passwords or common phrases to inform their efforts. Generally speaking, the attacks succeed only if the user has selected a popular and simple password, such as Qwerty, Password or 123456.

In a credential stuffing attack, the adversary has possession of the user’s credentials for a given service and is attempting to use that information to access an unrelated network. For example, if a user’s credentials for their cell phone service has been compromised in a data breach, the cyberattacker will use that information to attempt to log in to other utility services, banking sites, marketplaces or other digital accounts.

Access attempts

In a brute-force attack, the bot is usually programmed to try several combinations of user IDs and passwords. While these attacks have become more sophisticated and may be able to successfully circumvent security measures, many result in the IP address being blocked due to excessive failed login attempts. This factor, coupled with the lack of context in guessing the credentials, make brutes force attacks far less successful than credential stuffing.

Credential stuffing attacks are far more specific. In such attacks, the bot tries a specific user ID and password across a variety of sites. Since the tool does not make multiple access attempts, such activity often goes unnoticed by most traditional security tools.

Password strength

Since brute-force attacks attempt to gain access using a common, simple password, most of these attacks can be prevented by selecting strong, unique passwords for each site or service.

In a credential stuffing attack, password strength is not an issue since the attacker is using a compromised account as the starting point for future logins. Even the strongest of passwords can be a liability if it is shared across several accounts.

How to detect and prevent credential stuffing?

To prevent credential stuffing attacks at the enterprise level, organizations must understand that traditional security best practices, such as setting strong password requirements and monitoring for multiple login attempts, will be of limited help for this particular attack method. That said, there are several effective steps companies can take to prevent credential stuffing attacks and limit their impact:

Enable multifactor authentication (MFA)

Multifactor authentication (MFA) requires all users to use more than one method to authenticate their identity. This may include a combination of traditional account credentials, security token via text message or authenticator tool, or a biometric verification. Organizations that enable MFA are far more protected from credential stuffing attacks since attackers generally only have the account credentials at their disposal — the likes of which are mostly meaningless without a secondary authentication factor.

Implement IT hygiene

An IT hygiene tool such as CrowdStrike Falcon Discover™ provides visibility into the use of credentials across the organization to detect potentially malicious admin activity. The account monitoring feature allows security teams to check for the presence of accounts created by attackers to maintain access. It will also help ensure that passwords are changed regularly, so stolen credentials can’t be used forever.

Add proactive threat hunting

True proactive threat hunting, such as CrowdStrike Falcon OverWatch™ enables 24/7 hunting for unknown and stealthy attacks that utilize stolen credentials and are conducted under the guise of legitimate users. These are the types of attacks that standard measures can miss. Employing the expertise gained from daily “hand-to-hand combat” with sophisticated advanced persistent threat (APT) actors, the OverWatch team finds and tracks millions of subtle hunting leads daily to validate if they are legitimate or malicious, alerting customers when necessary.

Educate employees on the risks of weak passwords

Credential stuffing attacks can almost always be traced to an individual using the same password across multiple services. Even if the user selected a strong password, they are at risk for compromise if they share that credential across different accounts. Educate users on the importance of avoiding password reuse, as well as other best practices for selecting strong, unique passwords. Provide a password manager tool to prevent users from resorting to easily-remembered passwords and use a discovery tool that exposes default passwords on devices that haven’t been changed.