Credential Stuffing

What is Credential Stuffing?

Credential stuffing is a method of cyberattack in which credentials obtained from a data breach through one application are used to attempt entry into another application, site, or system.

Credential stuffing is a form of brute force attack and shares many of the same commonalities, but with slightly more methodology to the process. A brute force attack is just attempting random combinations of credentials, whereas a credential stuffing attack uses already obtained credentials across different sites.

If you are prone to reusing your password, it has likely been leaked on the internet in various cyberspace circles, making you a prime target for a credential stuffing attack. Credential stuffing banks on the lax nature of credential-based login, and hackers know that you have likely used that same combination elsewhere. Because credentials are commonly sold and bought in nefarious online circles, it’s impossible to know if you are susceptible to a credential stuffing attack.

Although the success rate of a credential stuffing attack is lower than other forms of cyberattack (often only 1-3%), these attacks are carried out in bulk, making them one of the most popular attack vectors.

How Credential Stuffing works

In order to execute a credential stuffing attack, adversaries first obtain a list of stolen or leaked passwords and usernames. Through the use of advanced automation tools, the attacker can perpetrate the attack across multiple systems and sites. This kind of automated credential stuffing can easily shut down the IT infrastructure of an organization, leading to outages, organizational distress, and financial losses. This alone can be disastrous, but should the attacker successfully gain access to your systems, the trouble is only just beginning.

It was recently reported that credential stuffing costs businesses an average of $4 million per year between downtime, lost customers, IT costs, and loss of trust and confidence in the future of the company or product. On top of those potential losses, regulatory bodies have recently cracked down on organizations that suffer from a credential stuffing attack, and your business could incur penalties or legal action should your system prove to show security flaws under new GDPR and US privacy regulations.

How to Prevent Credential Stuffing

If these statistics have you concerned, then you’re right to worry. Credential stuffing can be detrimental and difficult to prevent, but luckily we’ve put together some points for how to prevent it...

• Eliminate passwords: The ONLY way to ensure the prevention of password-based attacks is through eliminating passwords. Learn more about passwordless authentication today and keep your most critical applications secure.
• Captcha: Because a reCAPTCHA requires a human to complete the login process through a puzzle or question, it cannot be done automatically. That single requirement to enter a word, symbol, or image is highly successful in deterring credential stuffing attackers.
• Web application firewall: A web application firewall is extremely valuable for any organization to have. A reliable WAF can detect abnormal traffic, bots, excessive login attempts, and more. A WAF has multiple purposes, and is used for a variety of security purposes, so there is no downside to one.
• Screen frequently for leaked credentials: There are many service providers that can automatically scan the web for leaked credentials and alert the user of a compromised username and/or password. HaveIBeenPwned.com is also a free site available to all for this very purpose. This is only valuable, however, if the leak has been made public—any data breaches that have yet to be announced or have flown under the radar will not appear.

Credential stuffing is a real concern for most organizations, due to the huge risks it incurs. Even with these tips, there had previously been no guarantee that your credentials wouldn’t be discovered by some nefarious source—until now.

Credential stuffing doesn’t work without credentials. Eliminating passwords is the single most effective thing you can do to prevent credential stuffing, and should be number one for how to prevent it.