What is credential stuffing?
Credential stuffing is a cyberattack method in which a scammer uses stolen or leaked credentials (username and password pairs) to log in to other accounts on the web.
These types of attacks enable cybercriminals to steal money, make large purchases, attempt account takeovers, or perpetrate corporate espionage. The attacker gains access to user accounts to carry out other attacks or fraudulent activities.
An unfortunate side effect of credential stuffing attacks is that businesses that have not been breached can become indirect victims via someone else’s data breach.
While success rates of credential stuffing are low (usually 1-3%), scammers rely on volume to achieve their goals. Cybercriminals can “stuff” thousands or even millions of compromised credentials into multiple websites at once using attack tools, increasing their chances of success.
How Do Credential Stuffing Attacks Work?
A large-scale credential stuffing attack typically follows several steps. The hacker:
- Sets up a bot that automatically logs into multiple user accounts simultaneously. Multiple IP addresses are faked using credential stuffing tools that simulate normal web application traffic and evade IP and browser blocking methods.
- Checks to see if credentials work on other websites. This is done automatically and in parallel to avoid repeated logins.
- Captures credit cards, personally identifiable information (PII), or other data gathered from successful logins.
- Records account information for future unauthorized use, including spear phishing attacks and other large-scale data breaches.
Credential Stuffing Vs. Brute Force Attacks: What’s the Difference?
Credential stuffing is a subset of brute force attacks. In brute force attacks, scammers attempt to log in to accounts by guessing passwords, changing the letters, numbers, and characters in commonly used passwords and password phrases.
While the goals of credential stuffing and brute force attacks are the same, there are several significant differences:
- Brute force attacks are “blind” — scammers try to guess user credentials with no clues, using common password patterns or random character strings.
- Brute force attacks lack data and context from previous breaches, so successful logins are much lower.
- Credential stuffing uses leaked data, reducing the number of possible correct answers, thereby improving the chances of successful infiltration.
- If a company practices basic security measures, brute force attacks are likely to fail, while credential stuffing attacks can still succeed.
How to Defend Against Brute Force Attacks
Strong passwords are your best defense against brute force attacks. Encourage users to create passwords consisting of a mix of characters, including upper and lowercase letters, special characters, and numbers.
Password generators enable you to specify password length and complexity requirements and are often the easiest way to create complex passwords.
Unfortunately, password strength does not protect against credential stuffing since passwords are already known. Credential stuffing can compromise a password no matter how strong it is.
Why Is Credential Stuffing On the Rise?
- Credential databases continue to grow and are attractive targets for hackers. “Collection #1-5” famously made 22 billion username and password combinations available to the hacker community.
- Sophisticated bots have made it possible to attempt several login requests simultaneously. They can make it seem like they originate from different IP addresses, enabling them to circumvent bans that have prevented multiple failed login attempts in the past.
- Stolen passwords and information obtained from using them (like Social Security numbers, credit card numbers, and addresses) can be resold and reused by other cybercriminals on the dark web, creating a profitable aftermarket.
- An attacker can use stolen credential privileges to carry out more severe attacks.
How To Prevent Credential Stuffing Attacks
Credential stuffing attacks are especially hazardous because they cross-pollinate business and personal accounts. Since people often use the same passwords for work and home accounts, credential theft can infiltrate both worlds, causing twice the damage.
Credential stuffing attacks are difficult to stop since credential stuffers already have access to actual passwords. However, you can significantly reduce the likelihood and impact of these attacks by implementing the proper cybersecurity measures.
Tip 1: Use Unique Passwords
No one wants to hear this, but using unique passwords for every account you log into is one of the best ways to combat credential stuffing attacks and identity theft. The reason credential stuffing is so lucrative for cybercriminals is twofold:
- People don’t change their passwords often enough and reuse passwords on multiple accounts.
- Because people don’t change their passwords frequently, hackers can steal personal data with compromised sources that are sometimes several years old.
The best way to manage this is with a password generator or password manager, such as LastPass. Changing passwords regularly (more than once a year, please!) provides additional security.
Tip 2: Use Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) is an effective way to prevent credential stuffing because it requires users to log in with additional authentication forms besides their username and password. MFA requires users to verify their identity with something that hackers do not possess.
Forms of MFA include:
- Something you know, such as a password, PIN, or answers to security questions.
- Something you have, such as an authenticator app, physical token, or a one-time password sent via email or text.
- Something you are, such as a physical identifier like your fingerprint, voice, or retina.
Tip 3: Use a CAPTCHA
CAPTCHA requires users to act to prove they are human, reducing the effectiveness of credential stuffing attacks.
Unfortunately, hackers can bypass CAPTCHA by using headless browsers and credential stuffing tools designed to defeat CAPTCHA. You should combine CAPTCHA with other verification methods like MFA for the best results.
Tip 4: Deny Bad IP Addresses
While experienced (or well-funded) hackers use automation tools to disguise their location, many cannot hide and use only a small pool of IP addresses. If multiple failed attempts originate from identifiable IPs, block them.
Credential stuffing will persist as long as hackers can infiltrate systems to steal login credentials. Unfortunately, hackers can steal passwords from other entities and use them to break into your network. Remember, the best offense is a good defense. Using the prevention steps detailed in this article — along with enforcing strong password policies — are first steps in blocking credential stuffing attempts.