Stolen Databases Are Used for Credential Stuffing Attacks

Data breaches are growing more common, and their impacts are significant. Breached customer data fetches a high price on the black market since it can be used for a number of criminal purposes, including financial fraud or identity theft.

However, the leaked data from breaches has other uses. Leaked user credentials can be used in credential stuffing attacks, enabling a cybercriminal to leverage a leak from a poorly protected site into a list of valid credentials for a more important online service. As data breaches and credential stuffing attacks grow more common, businesses need to protect themselves with a web application firewall (WAF) capable of identifying and blocking these automated attacks.

Introduction to Credential Stuffing Attacks

Credential stuffing attacks are simple to perform and can be wildly successful for an attacker. They exploit the fact that most online accounts use a password-based authentication system and that people generally have extremely poor password security.

In a credential stuffing attack, a cybercriminal attempts to log into a user’s account on a target service with a list of potential usernames and passwords. Since many online accounts use email addresses for usernames, the password is the only challenging thing to guess.

However, many people also use extremely weak passwords or reuse passwords across multiple accounts. With a bot that can perform thousands of attempted authentications every minute and a list of the most commonly used passwords, a cybercriminal can expect to breach a large number of accounts.

After breaching an account, the attacker has a number of options to monetize their attack. They could use the breached credentials themselves, making purchases online and sending them to themselves. Alternatively, verified credentials fetch a higher price on the black market, enabling cybercriminals to make a profit by selling them.

Impacts of Credential Stuffing Attacks

Credential stuffing attacks are damaging to the owners of the accounts that are compromised; however, this is not their only impact. For the owner and operator of the service that the attack uses to validate potential credentials, a credential stuffing attack can waste a significant amount of valuable resources.

  • Compromised Accounts

The first, and most obvious impact of credential stuffing attacks is the number of accounts that are compromised during the attack. Credential stuffing takes advantage of password reuse and the use of weak passwords, both of which are common mistakes by users.

For an idea of the potential impact of credential stuffing attacks, it is useful to look at statistics around the most commonly used passwords for each year. These statistics are derived from passwords breached in that year, and, since this is how cybercriminals get lists of passwords to try in credential stuffing attacks, provide a good estimate of the vulnerability of an organization or a user to attack.

In 2019, an estimated 10% of people use one of the 25 most common passwords, making a credential stuffing attack easy to perform. To make things worse, nearly 3% of people use the most common password of 123456, so a credential stuffing attack using a single password (which could easily fly under the radar) could compromise a significant number of user accounts.

  • Wasted Resources

While a credential stuffing attack poses a danger to users’ account security, it also impacts the organization being used to test the attacker’s list of potential account credentials. Each attack requires the attacker to attempt a login to the service, which forces the web server to test the password and provide a response. Scaled up to thousands or millions of accounts targeted in an attack, and the burden could easily become significant.

While an organization can work to block credential stuffing attacks by limiting a user to a certain number of incorrect logins, this also has its downsides. Every user account that is locked as a result of a credential stuffing attack must undergo a password reset. While this process is often automated on the server side, it still takes up resources and causes annoyance to a user.

Data Breaches Enable Larger-Scale Attacks

Credential stuffing attacks are an annoyance or a security threat to the targeted service and user alike. With the rise of data breaches in recent years, these attacks are only going to become more of a problem.

In fact, the availability of breached credentials had a dramatic impact on the cybercrime landscape in 2019. Before 2019, phishing attacks accounted for 56% of successful cyberattacks but they dropped by 25% to 31% of attacks in 2019. On the other hand, attacks exploiting breached data grew to 29% of successful attacks, almost catching up to phishing attacks as a popular attack vector. If data breaches and password reuse continue to grow, 2020 may be the year when credential stuffing attacks surpass phishing and exploitation of known vulnerabilities as the most common successful attack vector.

Protecting Against Credential Stuffing Attacks

Credential stuffing attacks allow attackers to take advantage of breached data and automation to gain access to user accounts. A bot with access to a list of possible credentials can rapidly identify valid login information for user accounts, especially if users have weak or reused passwords.

Since these credential stuffing attacks pose a threat to businesses and their customers alike, it is vital for organizations to take action to defend against them. The use of bots in credential stuffing attacks makes them effective, but also can make them detectable and blockable. A WAF with integrated bot detection and prevention can identify an attempted credential stuffing attack (or any bot-driven cyberattack) and block it, denying cybercriminals the ability to validate lists of potential credentials or to access user accounts.