Credential Stuffing - what it means, and how it affects your business

Posted by Russell Odom on Mar 30, 2021 8:00:00 AM

Did you know that many people still use easy to guess passwords, as well as the same password repeatedly? 

A startling 61 percent of people admit to using the same password across multiple websites. 

As a result, many accounts are vulnerable to ‘credential stuffing’ attacks. This is where cybercriminals gain access by using credentials that have already been exposed and shared online. Worryingly, it’s on the rise and one of the most common techniques used to gain access to user accounts.

As you might imagine, this poses a serious challenge to organisations looking to keep bad actors out of users’ accounts. If accounts fall victim to credential stuffing, your organisation will suffer from considerable costs due to GDPR, brand damage, and an extensive ‘clean-up’ operation.

With all this in mind, we’re going to unpack the dangers of credential stuffing in more detail and explore what your business can do to protect itself. But, first, let’s take the time to better understand what credential stuffing is.

What is credential stuffing?

Here’s a definition of credential stuffing:

Credential stuffing is when cybercriminals use lists of previously exposed credentials to fraudulently gain access to user accounts. This is typically performed through large-scale automated login requests.

The process looks like this…

Credentials (username and password pairs) for ‘website A’ are exposed, either through guessing common passwords in a brute force attack, or through a hack of the system. These leaks could be a set of hundreds, thousands, or even more passwords at a time. Once discovered, they are circulated, traded and combined in the seedier corners of the internet.

Unfortunately, because people reuse passwords, it’s reasonable to assume that a proportion of any such set will also work on ‘service B’ or ‘website C’ or… well, your service. And so, attackers conduct large-scale automated login requests to try to gain access to other websites and services.

The bad news is that it works. Such attacks could succeed up to 25 percent of the time. It gets worse when you consider that attackers can easily try tens of thousands of credentials per hour if you don’t stop them.

The motivations of attackers vary from financial gain to bragging rights. Unfortunately, these attacks are cheap to mount, require only basic technical skills, carry negligible risk for the attacker, and are therefore common. Even if you don’t think you’re a target, you might be experiencing credential stuffing attacks every few weeks. 

Having addressed what credential stuffing is, now let’s look at the root causes that precipitate it.

What leads to credential stuffing, and why is it such an issue?

On first glance, passwords like, ‘1qaz@WSX’ or ‘P@ssw0rd’ follow the rules for what a ‘good’ password should look like. After all, they have at least eight characters, a mix of upper and lower-case, numbers, and they include punctuation.

However, it turns out these passwords are also really common, and the bad guys know this. How about 'welcometomykitchen12345678'? Now, this isn’t a common password, but it has been exposed in a previous hack. This makes it another easy guess for criminals.

You’ve also, no doubt, heard the advice not to use the same password in more than one place. But it can be hard to remember a different password for each of the dozens or hundreds of sites we use, especially if they’re good, long passwords.

There are, of course, ways to manage different passwords – we can use password managers to create and store unique, random passwords for each of our sites. However, many people just don’t know or care enough about the risks to take this preventative step. They continue to use one password, or a small number of common ones across all their sites and apps.

As a result of so many people using weak passwords and not using password managers, there are plenty of accounts left vulnerable to credential stuffing.

How does it affect your organisation?

So, having established what credential stuffing is and what causes it, let’s consider why cybercriminals gaining access to user accounts is a problem for organisations like yours.

The three biggest challenges are:

  • Avoiding GDPR penalties and fines
  • Brand damage limitation
  • An expensive and time-consuming clean-up

Let’s unpack these three issues now.

Avoiding GDPR penalties and fines

Over 2 billion records were breached in February 2021 alone. This, of course, is a GDPR nightmare for any of the applicable businesses involved.

This is perhaps one of the biggest issues caused by a successful credential stuffing attack. After all, a large fine from the Information Commissioner’s Office, and the reputational repercussions that come from that is the last thing you want.

GDPR requires you to takeappropriate technical and organisational measures to protect your users’ accounts and the personal data they contain. This includes their names, addresses, birthdays, contacts, viewing preferences, previous purchases, and so on.

Also, consider that the industry standard for ‘appropriate’ tends to change over time, so if you aren’t proactively addressing this, you are falling behind.

Brand Damage Limitation

Did you know that 33 percent of businesses face reputational damage after a data breach?

It’s not just personal data and GDPR you need to consider when faced with credential stuffing. It’s also worth thinking about whether a compromised account can purchase goods or services from you. This compromised account on your service has value on the “dark web” because it can be used to gain access to your services for someone who’s not paying for it.

Perhaps this account breach gets in the news, which then impacts your public reputation, there’s no hiding from it because you have a legal obligation to tell affected users about it as soon as possible.

An expensive and time-consuming clean-up

It’s also important to consider the ‘clean-up’ costs of following up on an account breach. There could be hundreds of person-hours across your business put into responding to an attack.

  • Technical teams need to contain the attack and throw up defences. This involves trawling your logs to work out which users were affected, and what the attacker did with the accounts. Then, IT staff need to initiate bulk password resets.
  • Legal teams must prepare a submission to the ICO, and deal with any other compliance issues you might have. The incident needs senior ownership and focussed management.
  • PR teams will have to write some careful and sensitive communications to explain to your customers what happened. They’ll also have to deal with the resulting extra messaging from worried users.

And most of this frantic activity must happen within 72 hours.

How do you protect yourself?

The first step is to accept that your service is a target for credential stuffing, and to then plan for this reality. You don’t want to be caught out and left struggling to respond when the inevitable happens.

Once you’ve accepted the danger you face, it’s time to integrate a four-step process to protect your business. These four steps are:

  1. Prevention
  2. Detection
  3. Response
  4. User visibility

Let’s break down these steps down. 

Step #1 Prevention

There are effective ways of preventing many attacks from getting anywhere at all, or at least, severely reducing the extent of their success. This includes using rate limiting, CAPTCHAs, good password policies (including disallowing passwords which are common or included in existing breaches), and multi-factor authentication.

Although these things can add friction to your user experience, you can put some of them into place on a selective basis depending on client characteristics (for example, on accounts outside your normal client countries).

Step #2 Detection

It’s good practice to keep good logs of your login flows, collecting enough information to determine the characteristics of an attack and record forensic detail for later analysis.

These logs can drive metrics and alarms which pick out anomalies in the rate of successful vs. failed logins, or other changes in traffic patterns. Then, alerts need to prompt your technical team to investigate (whatever the time of day or night).

Step #3 Response

Once you’ve detected an attack, you have to stop it.

If it’s a low-sophistication attack from one IP address, that’s easy to action. That’s because in low-sophistication attacks, all the requests look identical, so you can block some other common factor, like user agent.

But what if requests are distributed across a global botnet of eleven thousand IP addresses?

Well, unfortunately, we recently witnessed this happen to one of our customers. In this instance, we saw the hits masquerading as over a hundred different versions of Chrome, Firefox, Opera. This is much harder to block without locking out real users.

Fortunately, our Managed Perimeter Security Service includes Web Application Firewalls (WAF) with flexible configuration options, and a technical team who can use them to full capability. This allowed us to adapt our defences to fully mitigate the attack

Step #4 User visibility

The most sophisticated attacks are subtle, and no prevention or detection is perfect in stopping them.

This is because attackers perform reconnaissance to learn your defences, and then they adapt and retry. They can also hide in your real user traffic, at a low level over a long time, whilst being distributed over a wide range of sources. Then, they might ramp up slowly to avoid tripping your anomaly detection.

So, your last line of defence is your users themselves. That’s why it makes sense to let them know when a device they haven’t used before has logged into their account, or when there’s unusual activity. They can let you know if it’s not them and change their password. Just make sure they choose a good one this time!

Secure your business with us

Due to the Covid-19 pandemic, remote working and the adoption of online services increased. Unfortunately, this has also increased credential stuffing activity. Indeed, Zoom suffered a cyber breach in April 2020 and lost 500,000 usernames and passwords as a result.

But the aftermath of credential stuffing can be crippling. With 33 percent of businesses losing customers after a breach, it’s never been more important to secure your defences.

The good news is, using the four-step strategy we covered will go a long way to protecting your organisation. But if you want to take your efforts a step further, it also makes sense to rely on experts who have the experience and the tools to provide you with the complete security you need.

So, why not contact the Piksel Group team to find out how we can help you?

Our infosec specialists can advise you on how to integrate preventative measures into your application. We can also help you add detection and response capability via our Managed Perimeter Security Service and our managed SIEM service.

If you don’t have the capability you need, we can help you get it. Just get in touch to find out what we can do for you.

Security and compliance brochure CTA

Topics: Security, cybersecurity

Related posts

The latest tweets