What is credential stuffing?

Understanding credential stuffing

Credential stuffing is a type of cyberattack where attackers use credentials obtained from other data breaches and try them out across multiple websites. Since many people reuse the same combination of usernames/email addresses and passwords across multiple sites, attackers exploit this to gain unauthorized access easily.

Why should you be concerned about credential stuffing?

Credential stuffing is a common type of brute-force attack. It relies on people using the same credentials or minor variations across different services to remember their passwords easier. But once a single service is breached and the user's credentials to that service are leaked, chances are high that some of the users of the services enter the same credentials for an unrelated service.

The skill required to run a credential stuffing attack is basic automation that parses through the list of credentials and enters them into the website. With data such as banking login information sold for around $65, even acquiring the breached credentials is not a hurdle for cybercriminals. Modern automations now use AI to emulate human behavior and crack a set of accurate credentials, so it does not take long to find a service to exploit with the breached credentials. Ease of execution and low cost make credential stuffing popular and frequently used by cybercriminals.

An example of a major credential stuffing attack is the breach of 23andMe, a US based genetic testing company. About 14,000 user accounts were hacked by reusing credentials leaked in other data breaches. This exploit granted the attackers access to the data of almost seven million user profiles, including those of relatives that were linked to the exploited accounts. This attack could have also been used to log in to employees' corporate resources and exploit organizations from within. With the increasing severity and frequency of data breaches, this is a huge risk that needs to be addressed.

How does credential stuffing work?

A credential stuffing attack is carried out in four major steps.

• Attackers acquire username and password pairs from a data breach.
• Using automated scripts and bots, the attackers attempt to log in to a variety of websites using these credentials.
• If users have reused the same pair of credentials across different sites, the attackers can use this to gain access to their other accounts.
• Once inside, attackers can steal sensitive information, make unauthorized transactions, or use the account to authorize themselves into other accounts. They can also reset the credentials used and change the recovery methods, making it nearly impossible to retrieve control of the account.

How do you prevent credential stuffing?

We have seen how credential stuffing is a legitimate and widespread threat that we need to safeguard against. Here’s how you can effectively protect your personal and organization's accounts against credential stuffing.

How can users stay safe from credential stuffing?

You can prevent your accounts from being attacked by credential stuffing by implementing these measures.

• Use unique credentials for different sites: Ensure that you use different credentials for different accounts. This way, even if one account is compromised, others remain secure.
• Update your passwords frequently: Ensure you change your passwords at a regular time interval or at least as soon as a major data breach is announced. You can use services like Have I Been Pwned or Google's Dark Web reports to check if any of your accounts have been breached in major data breaches.
• Use a password manager: Password managers can help generate and store strong, unique credentials for each of your accounts, reducing the risk of reusing them. They also help manage and autofill passwords, ensuring that users do not resort to easily guessable or reused passwords. Offline password managers are recommended to help you avoid being exploited in major data breaches.
• Enable MFA: Implement MFA for all of your accounts. This adds an extra layer of security by requiring a second form of verification, such as a text message code or an authentication app, in addition to your passwords. Using a factor that you have (for example Yubikey) or something that you are (for example biometrics) ensures that only you can access the accounts.

How can organizations protect their users from credential stuffing?

Organizations can implement some measures to secure their services and corporate accounts from being affected:

• Implement rate limiting and IP blocklisting: Rate limiting helps prevent automated login attempts by restricting the number of login attempts from a single IP address within a specified period. These IP addresses can then be added to a blocklist, preventing their use another time.
• Use CAPTCHA to hinder scripts and bots: Implementing CAPTCHA on login forms can block automated scripts and bots used in credential stuffing attacks, thereby ensuring that login attempts take too much effort to be considered practical by the attacker.
• Deploy web application firewalls (WAF): WAFs can detect and block malicious traffic, including credential stuffing attacks, by analyzing incoming requests for proper device fingerprints and halting suspicious activities.
• Monitor for unusual login patterns: Implement monitoring systems to detect unusual login patterns, such as multiple failed login attempts from different IP addresses or locations attempted within a short time period.
• Mandate MFA for privileged accounts: Mandating MFA for privileged accounts ensures that they are safe even if their credentials are leaked in a major breach. If MFA cannot be implemented for all of your users, it would be best to secure your administrative accounts so that they do not get breached and affect your organization.
• Regularly update password policies: Ensure that your organization’s password policies enforce the use of strong passwords, regular password changes, and restrict password reuse.
• Prevent the use of email addresses as usernames: Email addresses are often easy to obtain, so preventing them in usernames will encourage the use of unique usernames that are not as easily hacked.

Resist against credential stuffing with ADSelfService Plus

To strengthen your defense against credential stuffing and other cyberthreats, consider implementing ManageEngine ADSelfService Plus, our MFA, SSO, and self-service password reset solution. It integrates MFA for your users, devices, and applications to provide an extra layer of security and reduce the risk of unauthorized access. By implementing strong and granular password policies, mandating MFA, and acting as a secure password manager, ADSelfService Plus helps secure your organizations against cyberattacks while keeping the entire process user-friendly. Moreover, you can use Have I Been Pwned to ensure that users do not use weak passwords during enterprise password resets and changes.

People also ask