How to Prevent Credential Stuffing Attacks

In our ever-increasingly online world, terms such as data breaches, brute force attacks, and cybersecurity have become part of our daily lexicon. It might be time to add a new word that is somewhat less well-known outside of the cybersecurity circle: credential stuffing.

Highly publicized data breaches quickly make the major newscycle, sensationalizing the size and scope of a successful cyber attack. Once the newscycle has moved on to the next big story, what happens to the stolen data and, more importantly, how it is used sometimes doesn’t get covered.

Chances are you, or someone you know, has been a victim of a data breach. Some of the most common data sets that get stolen are people’s login credentials. Once a hacker gets this information, the potential damage caused by credential stuffing is sobering.

What is Credential Stuffing?

Suppose you’ve been notified that you were the victim of a data breach. Often you are given some information on what happened and are left with the simple instructions of changing the username or password and a promise to do better. If you don’t change your account login credentials, it is becoming increasingly common that your stolen information is used to try and login across many different websites or applications.

The process of a bad actor using your stolen login credentials and entering them on several web applications trying to gain access to an account is called credential stuffing. More specifically, credential stuffing takes stolen account information and attempts automated, large-scale login requests across multiple websites or web applications.

Credential stuffing may not sound overly nefarious until you consider the scale of these attacks and explore some real-world impacts. Data breaches and cybersecurity attacks typically expose a large amount of data in staggering numbers. When the stolen data numbers into the billions, the potential impact of credential stuffing is enormous.  

Success rates for credential stuffing vary and are anywhere from less >1% to 3%. Such low chances might make credential stuffing seem like it’s not worth the effort. However, even a success rate of 0.1% for one million attempts, for example, yields 1000 accounts breached and personal data potentially stolen.

Credential stuffing is a growing cybersecurity threat due to the scale of the login attempts and the number of web applications that reused account information is tried on. Those in possession of the stolen login credential will have that data injected into web login forms across hundreds or even thousands of websites or applications, looking for a successful match to your account. They are quite literally stuffing your credentials into as many websites as possible, hoping to hit on a successful attempt.

Once a bad actor has a valid login credential, they can steal your personal data (including birthdates, credit cards, or potentially social security numbers). They can make purchases or even change your login information, locking you out of your account. They could even sell your data or login information to other nefarious entities, often ending on the black market or dark web.

Uber, the world leader in ride-sharing, experienced the impacts of credential stuffing in 2016. Stolen Uber employee login credentials were successfully used to access a private GitHub repository used by the Uber application developers. Although they likely knew better, the developers reused the same email addresses and passwords from other sites. Nor did they enable multi-factor authentication (although available), allowing the hackers to access the GitHub repository.

The hackers were able to steal credentials kept in the repository allowing them access to data and personal information of what was claimed to be 32 million international Uber members and 3.7 million international drivers.

Other real-world examples include a third-party running/racing website data breach that allowed hackers to access members’ accounts for J.P. Morgan Chase employees in 2014 (JPMC sponsors corporate charity races). Stolen credentials from a data breach allowed the successful login for members of Dropbox in 2012.

Cybersecurity experts consider credential stuffing one of the most significant cybersecurity risks due to the sheer volume used in the attacks and the potential for broad-ranging impacts to both the members and the companies that store their user’s data.

How to Prevent Credential Stuffing?

As threatening and potentially devastating as credential stuffing can appear to be, there are a couple of simple, direct, and common-sense steps that you can take to minimize the potential risks.

1. Do not use the same user and name, and password across multiple websites or applications Around 50% of people use the same username or password for their login credentials across many platforms and applications. When this happens, it is exceedingly easy for anyone who gets your login information to access several of your accounts and gather sensitive and potentially damaging personal information. There are many reasons why a staggering amount of people reuse the same account login information, but none are viable.

2. Choose to opt-in when offered multi-factor authenticationEnabling multi-factor authentication when offered by a website or application is an easy way to avoid a successful credential stuffing attack. Multi-factor authentication is quickly becoming a standard feature to protect login and account information. Some common examples of multi-factor authentication are:

• When a website sends you an authentication code to your phone or email, and you enter it on a separate page to complete the login process.

• You are required to enter additional data, such as a four-digit pin, or answer a predetermined security question(s).

• You must select a picture from a group you chose when setting up an account that verifies you are the proper one logging in.

It should be noted that if you elect to “remember this device” for the next 30 days, or select the option to “skip this next time,” then you are effectively circumventing multi-factor authentication.

Securing and protecting account login information does not rest solely on the end-users. Websites and applications that do not offer or enable multi-factor authentication automatically put their members’ data at risk.

There are steps companies can and should  take to protect the data of their members or subscribers. Even if a company does not offer multi-factor authentication, there are steps they can take. An example is employing the best cyber security practices to protect the databases used to store sensitive account data. Similarly, having robust cyber security programs and policies are ways to harden networks and applications against data breaches.

One of the main elements of a credential stuffing attack is the use of bots to carry out the login attempts. Bots are software programs that perform repetitive automated tasks at a speed and scale that humans can’t replicate. A company can – and, again, should – employ a bot management service for added protection against the bots used in credential stuffing.

Is Credential Stuffing a Brute Force Attack?

Credential stuffing is a subset of a brute force attack. Credential stuffing uses known login information and attempts to gain access across many different websites.

By contrast, a brute force attack will try to log into an account on a single platform several times until successful. In many respects, credential stuffing and brute force attacks are different sides of the same coin with a common goal in the end: gaining access to your personal and sensitive account information.

Don’t let a hacker be successful. Enable and use multi-factor authentication — every time. Choose a different and unique password for every web application. Don’t make it easy by using the same username or email and password combination for all your login information.

When you do this, you might as well open the door and step aside because you are rolling out the red carpet for a hacker that wants to steal your information. Don’t let inconvenience be the enemy of personal cybersecurity.