Sumit Agarwal takes credit for coining the term "credential stuffing." He served as deputy assistant secretary of defense under President Obama, and in 2011, while working at the Pentagon, he began to notice a pattern of brute-force attacks on public-facing military websites, where threat actors were using credentials, like usernames and passwords, stolen from one site and to gain access to other sites.
Today, Agarwal is co-founder and CTO of Shape Security, and credential stuffing has gone mainstream, making life miserable for security managers in many types of organizations.
"Credential-stuffing attacks are a massive problem today, especially with the extreme shift to online-only services due to COVID-19," says Agarwal. "Something becomes spontaneously popular - we saw this with Disney+ as soon as it came out - and is overwhelmed with targeted credential-stuffing attacks. Any time a service gets any substantial amount of traffic, they see surges in credential stuffing. We're going to see these attacks increase for online grocers, delivery services, and telehealth providers."
Simply put, credential stuffing takes place when cybercriminals obtain stolen credentials through some means – usually on the Dark Web – and then use botnets or other automation tools to try and use these stolen usernames and passwords to gain fraudulent access to multiple, other user accounts.
"Credential stuffing is a type of cyberattack where the hacker attempts to sign into a user's account using usernames and passwords that have been leaked during a data breach," says Charlotte Townsley, director of security engineering at Auth0. "During the attack, a hacker can steal a user's credentials and sell them on the Dark Web for other hackers to purchase. Other hackers can gain access to billions of leaked credentials and use bots to try different combinations of passwords, quickly, into hundreds of accounts from social platforms to banking apps."
"Credential stuffing is really a subset of brute force attacks," adds Adam Darrah, director of intelligence with Vigilante. "The major difference is the fact that threat actors are working with previously cracked or dehashed passwords, and passwords that were compromised by other attack vectors, like keyloggers and other malware, so they already have an attack-ready set of credentials at their disposal. Threat actors utilize a litany of brute force checkers, varying in sophistication, to run targeted account takeover campaigns against corporate infrastructure and websites alike."
Once in, of course, that means corporate sensitive assets could be leaked, or the attacker can possibly gain access to other private accounts or trick unsuspecting colleagues into sharing information. The potential for damage is limitless.
Attacks Are Growing and Easy to Execute
From Agarwal's early days of identifying credential-stuffing attacks on government sites, the problem is now pervasive. The most recent Verizon Data Breach Investigations Report (DBIR) from 2019 finds credential stuffing was used in 29% of all data breaches. And currently HaveIBeenPwned.com (HIBP), a free site that offers data breach notification, has information on nearly 9 billion compromised credentials from hundreds of data beaches.
I's unsurprising that criminals are drawn to it for quick success as its fairly easy today to obtain stolen credentials cheaply.
"The skills required to purchase credentials to a victim's bank account or online retail account could be learned in an afternoon of Google searches," says Darrah. "There are seemingly endless deep and Dark Web marketplaces offering account credentials for as little as $2, depending on the service or website. In some cases, they even offer refunds if the credentials don’t work as advertised."
But there are some tools and techniques security managers can put in place to mitigate credential-stuffing attacks. Security researchers we spoke with recommend the following.
1. Boost user awareness on password management: With many users still reusing passwords across accounts, one place to start is education, says Townsley: "Improving user password habits is a great start in defending against credential stuffing-attacks. Educating employees on best practices and reminding them to change their passwords on a more regular basis can make it harder for hackers to pull off a successful attack."
2. Implement multifactor authentication: Two-factor/multifactor authentication should be enabled on every account where it is allowed and available. This adds another layer that makes it more difficult for a threat attacker to penetrate.
3. Use anomaly detection tools: "These could be either free or enterprise-grade online threat intelligence tools that can help identify risk signals – such as a breached password or a higher than usual number of failed authentication attempts," says Townsley. "These can also be used to determine a sudden or unusual increase in the amount of IP addresses visiting a website – this can be a tip off that there is malicious activity happening."
4. Deploy password managers: Several enterprise password managers are available, free of charge, that can help users create unique and strong passwords for every secure account and can help cut down on the common password reuse problem. A variety of password managers suitable for both enterprises and small businesses alike, are available, among them, according to recent market research from Ovum (now part of Omdia), 1Password Business, Dashlane Business, Keeper for Business, LastPass Enterprise, ManageEngine Password Manager Pro, Pleasant Password Server, and RoboForm for Business are the leaders. Ovum also gave kudos to Bluink, Passwork, Bitwarden, TeamPassword and Passbolt for unique features.
5. Embed security into website design: "Security professionals and web developers can make a threat actor's job a little tougher by ensuring that websites use any available bruting countermeasures, including CAPTCHAs and MFA," says Darrah. "Simple changes to website functionality can also be implemented - the prompt given after a login attempt, for example.”