What is credential stuffing?

The Complete Guide

Credential stuffing is a serious and growing problem for online organizations and consumers.

You only need to turn on the news to see plenty of stories about credential stuffing attacks and credential abuse affecting some of the largest online organizations, and therefore, their customers’ data.

So, with that in mind, read on to discover what you need to know about credential stuffing and its impact on online businesses.

What is credential stuffing?

Credential stuffing is the automated testing of stolen username and password pairs (or credentials) to use in order to break into hundreds or thousands of websites at a time.

Fraudsters take advantage of the fact that many people reuse the same username/email and password combination across different platforms, and leverage automated attacks, such as credential stuffing, to log in to a huge number of accounts, from subscription sites to online banking.

What is credential stuffing?

What is the difference between brute force, password spraying, and credential stuffing?

Credential stuffing is a subset of the brute force attack category. Brute force attacks attempt to guess many different passwords against a single account. With credential stuffing, known password and username pairs are used against other websites.

With password spraying, a verified username is taken and plugged into numerous accounts with a large set of various passwords.

If the user does not practice secure password habits, their accounts can be jeopardized by an attacker simply guessing common passwords.

How does a credential stuffing attack work?

As we have mentioned, stolen username and password pairs are at the core of this type of attack. A threat actor will plug this data into a bot, and then they will launch an attack to figure out if the credentials can be used on other log-in accounts.

Attacks differ, yet there is a general flow when it comes to credential stuffing, and this is the following:

  1. Discovery Phase – An attacker will locate a cache or password and username combinations that have been exposed via another type of attack.
  2. Testing and Modeling Phase – The attacker will then run a few tests to discover whether or not these combinations are effective on other websites.
  3. Large-Scale Automation Phase – The attacker utilizes various tools to carry out an attack against a server. All of the stolen pieces will come in as a flood of log-in attempts. It only takes one to work for the attacker to get access.
  4. Data Theft Phase – The attacker is searching for anything within the account that has value, for example, Social Security numbers, credit card numbers, and other log-in data.
  5. Fraud Execution or Ransom Phase – The attacker can then commit fraud or can point out the theft to the business and ask for a monetary reason for access to be given back.

Examples of credential stuffing in the news

There have been a number of high-profile cases involving credential stuffing. A lot of people have heard of these data breaches but they did not realize they were a consequence of credential stuffing. Let’s take a look at some of them so you can get a better understanding.

Nintendo Data Breach

In March of 2020, thousands of users reported that there had been unauthorized logins to their accounts on Nintendo. There were many accounts compromised, with personal information like names, addresses, and emails being accessed. The gaming powerhouse stated that the credentials were either stolen via phishing, credential stuffing, or a combination of both.

Dunkin Donuts Data Breach

Dunkin Donuts was also a victim of a credential stuffing attack targeted at their rewards program. The incident exposed account numbers, email addresses, phone numbers, and other types of personal information. Dunkin Donuts stated that they believed thousands of credentials had been accessed. It is believed that it is a chief example of the impact of credential stuffing.

Zoom Data Breach

Of course, we cannot ignore the Zoom breach. Zoom has really taken off as a consequence of the pandemic and the subsequent mass work-from-home switch. Zoom may be one of the biggest video conferencing services on the market, yet it has experienced a number of different cybersecurity issues. Zoom Bombing has been one of these problems, which has seen uninvited users crash Zoom meetings. It has also been confirmed that over half a million password and username combinations are being sold and purchased on the DarkWeb. These accounts are confirmed credential stuffing attacks, rather than being a breach on the Zoom side of things. Although a lot of people rely on Zoom while working from home and the company is making improvements from a security perspective, it is still critical to use two-factor authentication and to switch up your password on a regular basis.

Digging deeper into defending against credential stuffing

Earlier in the guide, we provided a brief overview of some of the different steps that you can take to defend against credential stuffing. Now, let’s provide some further advice and insight so that you can make sure you do not fall victim to such an incident.

Block headless browsers

A headless browser is a website browser that does not have a GUI. The label can, in some cases, be used when describing automated tools or scripts. Headless browsers can be an excellent tool when it comes to process automation and test automation, which is why business, QA, and development teams tend to use them.

Headless browsers are not usually utilized for legitimate browsing on the web, and they can sometimes lack the correct JavaScript engine to execute client-side code.

As a consequence, blocking headless browsers can often be a helpful mitigation option, yet it does depend on the use of automated IT processes at your organization. While it is helpful, it is certainly not going to be enough on its own to defend you against credential stuffing.

A cybercriminal will attempt to circumvent controls like this by making the most of headless browser technology that is more advanced or by tuning scripts so they more closely mimic conventional browser behavior.

Non-residential traffic sources should be rate-limited

Attacks can originate from other parts of the world whereby your business would not typically operate. High on the list of concerns for security teams include places like Russia, North Korea, and China, as they can sometimes offer a home for malicious threat actors.

You may decide to put some more restrictive rate limits in place for IP address ranges in regions like this in order to help mitigate a degree of the risk of credential stuffing. However, it is important to note that the majority of attackers will typically shift to an IP address that is not as restricted by making the most of other cloud providers and data centers.

Furthermore, if your business operates on a global scale, putting regional rate limits in place could also impact legitimate users and, therefore, have a negative impact on your company.

Put IP address deny lists in place

Bad actors may be working from a pool of IP addresses that is limited, so recognizing and consequently blocking IPs that try to log into numerous accounts can give you a level of defense against credential stuffing.

Of course, recognizing IP addresses that are malicious is not straightforward. Recorded Future published a hidden link analysis report, which indicated that 92 percent of suspicious IPs are not blacklisted, and this is usually because rate limits can be challenging to operationalize across the infrastructure.

Fraudsters will cycle through IP addresses and the lists are not well-maintained. Plentiful and cheap cloud computing resources also make the matter worse. Then, they will spin up new instances of machines or utilize serverless computers to perpetuate their credential stuffing attacks, increasing the bar of difficulty considerably for security teams who are trying to maintain deny lists.

Use Multi-Factor Authentication (MFA)

In addition to the suggestions we have mentioned so far, multi-factor authentication (MFA) is a powerful option to consider.

Automation tools and scripts are required for credential stuffing, which cannot easily provide added authentication factors, especially 2FA tokens sent through SMS or email or mobile phone authenticator tokens.

If you require users to authenticate themselves via another authentication factor, it can help to mitigate credential stuffing attacks.

Of course, we do need to mention that there are approaches in place for attackers to target MFA mechanisms. Therefore, you also need to consider your security measures in terms of preventing MFA brute force attacks.

Credential Stuffing - Login Attempt

Protecting your website from credential stuffing

When it comes to finding weaknesses and vulnerabilities within websites, there is no denying that cybercriminals target websites. They know a whole host of different tactics in order to break the defenses of your websites so that they can gain entry and extract your private data. They may even take your company offline altogether, meaning your customers will not be able to access your services. By ensuring you have basic IT security hygiene in place, you can discourage attacks. This will mean that you stop giving criminals ‘footholds’ in the infrastructure of your website. With that being said, read on to discover everything you need to know about the steps that you can take in order to stop your website from being compromised.

Credential stuffing attacks

Do you offer your customers online services? If you have a website, it is likely this is the case. This means you are going to be gathering confidential customer identification information, from contact details to banking information. This is the sort of data that cybercriminals want to get their hands on.

What are the different reasons why a cybercriminal may conduct credential stuffing on your website?

The outcome may be to:

  • Takeover accounts, known as account takeover (ATO)
  • Steal and sell data for monetary gain
  • Commit other types of fraud

What steps do you need to take in order to prevent credential stuffing?

As you can see, there are a number of different reasons why cybercriminals employ credential abuse. Because of this, it is not hard to see why you need to be cautious and have effective and proactive security measures in place. With that being said, below we are going to reveal some of the steps that you need to take in order to protect your website:

  • Understand what your online presence is – There is only one place to begin, and this is by understanding your online presence. After all, if you do not understand your online presence, then how do you expect to protect it? Some websites will only feature static information, for example, product descriptions and service brochures. There are then some that have transactional information because customers can purchase from it. When a site like the latter is hacked, this can have an impact on both your reputation and your revenue.
  • Back up your website and test recovery regularly – Aside from understanding your online presence, you also need to make sure that you back-up your site and that your recovery is tested regularly. Yes, it is imperative to take the steps to try and prevent an attack from happening. However, this does not mean that you cannot forget about putting processes in place in case the worst does occur. You need to make sure you have a Business Continuity Plan so that you know exactly what to do should your website be breached.
  • Add an SSL certificate to your website domain – You can also enhance security by adding an SSL certificate to your website domain. This is designed to transfer and encrypt any data that is transferred between your database and your website. This means that if anyone was to hack into your system and access this data, they would not be able to read it because it would have been transferred into an unreadable code.
  • Make sure your web hosting provider puts security first – One of the biggest mistakes that business owners make today is failing to consider security when working with third parties. This is especially important when it comes to selecting a web host provider. Web hosts play a huge role in keeping companies safe. Some of the questions that you should be asking your web host provider include: what controls have you got in place to make sure that there are access and stability every hour or every day? How will your Business Continuity Plan make sure that my site is always going to be online? How do you protect against a DOS attack? Most web hosts are going to be serving other customers too, unless you have a dedicated server for your business alone. Because of this, you should also find out whether the host has different access credentials for each customer. You should also find out how soon websites can be recovered if there is an incident, as well as finding out how many other websites are being managed and how they determine who to respond to first when there are incidents ongoing.
  • Install a web application firewall – A lot of people assume that firewalls are a thing of the past. This is definitely not the case. It is simply a case of you needing to choose a firewall with care because there are a lot of different options out there today. A good firewall will act as an effective barrier between your data connection and website server. It will block compromise attempts as well as ensuring any unwanted traffic is filtered out too, for example, malicious bots and spam.
  • Don’t wait until something goes wrong – This is a golden rule when it comes to security. A lot of business owners make the mistake of waiting until a disaster has happened in order to act. However, if you do this, it is only going to cause more disruption and more upheaval. Instead, you need to implement risk management.

There is no denying that cyber criminals are getting more and more sophisticated today. This is why you need to make a dedicated effort when it comes to securing your company. Starting with the basic IT security hygiene is the logical starting point, so make the most of the steps and advice that have been discussed above.

One of the most difficult aspects when it comes to application security is that the online landscape is changing all of the time. Cybercriminals are getting more and more sophisticated. However, this is something that you can use to your advantage as well. You can embrace new trends and technologies in the battle against cybercrime. One of the ways you can do this is through creating a strategy of layered defense, or defense in depth.

Why is cloud security the best way forward when it comes to fighting cybercrime?

There are so many different ways that cyber criminals try to gain access into a computer system and steal sensitive data, for example, credit card information and other personal information. Phishing attacks are very common, as is malware and ransomware. However, when it comes to combating these security issues, cloud security is proving to be the go-to solution. Let’s take a look at some of the key benefits associated with going down this route in further detail:

  • Tailored security – There is only one place to begin, and this is with the fact that security is going to be tailored to suit your needs. This is where a lot of businesses have been going wrong. Out-of-the-box solutions and one-size-fits-all approaches really have no place in the world of cyber security. This is because all businesses are made up of different networks and servers, and there are different individuals who need access to different files, and then there are many different cyber security threats! Because of this, security needs to bespoke to the business in question if it is going to be effective. This is something that cloud security offers. It enables you to make the most of different security features so you can tailor it to suit your business landscape. This is especially important for businesses that are handling excessive amounts of data, as well as businesses in heavily regulated sectors, such as law and banking, as access controls and other features like this are a necessity.
  • Centralized security – Just like cloud computing centralizes data and apps, cloud security will centralize protection. Cloud-based business networks will consist of a number of different endpoints and devices. The management of these entities centrally will improve traffic analysis and filtering. This ensures that network events are monitored in a streamlined manner. Because of this, there are a lower number of policy and software updates. It also means that disaster recovery plans can be put into place and actioned with ease because they are all going to be managed in the one place.
  • Lower costs – One of the advantages that are linked to cloud security and software is that you are not going to need to spend money on dedicated hardware. This means you are going to lower expenses in terms of administrative costs and capital expenditure too. Cloud security provides proactive security features, which provide protection on a full-time basis without any human intervention.
  • Reliability – In addition to the advantages that have already been mentioned, another reason why cloud security is deemed the way forward in terms of protection against cyber security threats is because it is extremely dependable. Users can access applications and data in a safe manner no matter what device they are using or where in the world they are.
  • Lower administration – When you select a cloud security platform or a reputable cloud services provider, you will not have to worry about continual security updates and manual security configurations. These tasks have a huge drain on resources, yet they are necessary. Luckily, though, you do not need to carry them out manually when you move to the cloud. This is because the security admin will be in the one place and is managed fully on your behalf.