Credential Stuffing: Why It’s on The Rise and How to Decrease Your Risk

Reports of high-profile data breaches like Equifax’s, LinkedIn’s or Yahoo’s always caused an initial, widespread panic — and for good reason. But after having massive amounts of their sensitive information exposed such as usernames and passwords, many consumers and organizations move on far too quickly. Whether it’s because they assume there’s nothing they can do to rectify the situation or due to a lack of understanding of their risk level, too many individuals and companies remain dangerously oblivious to what happens after a data breach.

Credential Stuffing: Why It’s on The Rise and How to Decrease Your Risk
Credential Stuffing: Why It’s on The Rise and How to Decrease Your Risk

Post-breach, many cybercriminals turn to the Dark Web to purchase data stolen from high-profile data breaches. For instance, recently eight hacked databases containing data for 92.75 million users were put up for sale on the Dark Web Marketplace “Dream Market” for 2.6249 bitcoins (about $9,400 USD at the time). Hackers will then use their newly-acquired, stolen data to fuel credential stuffing attacks, i.e. attacks that leverage stolen account credentials to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.

Unlike credential cracking, credential stuffing doesn’t rely on brute force or attempts to guess passwords. Instead, cybercriminals simply automate the logins for thousands to millions of previously discovered credential pairs using standard web automation tools or tools designed specifically for credential stuffing (e.g. services that manipulate login requests to make them look like they came from many different browsers and/or products that integrate with platforms designed to defeat Captchas). On average, hackers find matches between stolen credentials and a website about only one percent of the time, however, with every new large-scale breach, the credential stuffing process becomes easier and more effective.

To combat credential stuffing, both consumers and companies need to recognize the danger these attacks pose and adhere to the following four best practices:

  1. Monitor data breaches: It’s critical to stay apprised of large-scale breaches so that if/when you have an account with a company that experiences a data breach, you can immediately change your password. Also, if you use the same username and password for other accounts, be sure to change those passwords as well. Keeping up with the near-daily occurrence of data breaches can feel like an overwhelming task, so consider leveraging tools like this to determine if any of your credentials have been leaked at any time.
  2. Improve your passwords: One of the top factors driving the credential stuffing epidemic is poor password hygiene. Never reuse the same username and password across multiple sites, change your passwords regularly, make sure each password has no resemblance to the old, don’t use the same core word(s) and refrain from placing the same special characters in the same positions. Password managers can help by creating an easily managing the types of highly secure passwords that are impossible to remember.
  3. Implement two-factor authentication: By turning on two-factor authentication whenever available, an additional authentication is requested when you enter your password. This provides another vital layer of protection in the event of a network attack and should always be turned on.
  4. Blacklist suspicious logins: Companies should consistently track logins that result in fraud and then blacklist the associated IP addresses. Also, if users are located in a specific region, they can create geofences that block traffic that comes from elsewhere. Such tactics can make the proxy lists cybercriminals rely on to mask their mass login attempts far less effective, not to mention more complex and costly. Web-based security products can also be leveraged to block a single IP address or a range of IP addresses that result in too many unsuccessful login attempts.

A recent report from Akamai found that an average of 4.15 billion malicious login attempts from bots was detected in both May and June of 2018, and that’s up from an average of 3.75 billion per month between November 2017 and June 2018. Credential stuffing attacks will continue to become even more prevalent in the years ahead, especially as data breaches expose hundreds of millions of usernames and passwords on a regular basis.

By recognizing the credential stuffing problem head-on and abiding by simple cybersecurity best practices, however, both consumers and companies alike can drastically reduce their risk and at the same time make cybercriminals’ jobs far more challenging.

By Kevin Landt, VP of Product Management at Cygilant