Days before the 2016 US election, a group of ethical hackers in the Netherlands scanned through logins from LinkedIn’s 2012 breach. Then they took the password linked to Donald Trump’s account—yourefired—and were surprised when it worked against his Twitter login.
Credential stuffing is a simple yet powerful strategy that is on the rise, particularly in the finance industry. As attacks increase, organizations are at a higher risk for compromised customers, network intrusion, and millions in damage from lost business and remediation.
Many organizations use solutions like bot blockers and two-factor authentication to address this issue. But monitoring online data sources and leaked credential feeds is also valuable, surfacing hidden records that could leave your systems and customers more vulnerable to credential stuffers.
How does credential stuffing impact your business, and what are your best defenses for 2021 and beyond?
Attackers Are Scaling Up
Credential stuffing attacks are not new, but they’re becoming more sophisticated. Attackers use credential stuffing bots, which are sold on the dark web, to test username/password pairs against multiple accounts en masse. Tools are getting smarter, designed to evade captchas and reroute login traffic through different IPs and browser types to avoid raising red flags.
Credential stuffing tool and how-to on a dark web hacking forum—as viewed in the Echosec Systems Platform.
Attackers compile stolen credentials from past breaches that are available on the dark web, paste sites, and other hidden online spaces, preying on users who reuse leaked passwords.
A 2020 F5 report blames a rise in these attacks on the massive number of leaked records now available “from more than a decade of near-daily data breaches.” The speed and scale of credential stuffing campaigns can even resemble DDoS attacks—a strategy that credential stuffing has surpassed in financial services, according to F5.
A recent Akamai report identified over 100 billion credential stuffing attempts between July 2018 and June 2020. Another cybersecurity company, Shape Security, observed that 90% of “typical” login attempts to their corporate clients are malicious.
Considering the average person reuses their passwords up to 14 times, credential stuffing at this scale can have serious consequences for a business’s customers and risk profile.
Why You Need to Prevent Credential Stuffing
An attacker runs a credential stuffing campaign and gains access to accounts associated with your business. What does this mean for you?
This information often gets sold on the dark web (or other platforms like deep web forums and messaging apps). Sometimes the attacker can monetize credentials directly if the exposed account includes financial information. If these are customer logins, your credibility and customer retention could be impacted even though your systems haven’t been directly compromised.
If they are staff logins, attackers may access accounts and internal systems, potentially leading to an even larger breach. This is surprisingly feasible, as staff often use company email addresses (and passwords) for external sites and applications that may have been compromised. This is especially serious if the “stuffed” login belongs to an employee with broader admin permissions.
Credential stuffing costs affected companies $6 million per year on average, including downtime, business loss, brand damage, and remediation. These costs can easily escalate if a cracked employee login means system intrusion.
Beyond Bot Blockers and 2FA: How to Prevent Credential Stuffing
Security teams can use a number of tools that can prevent or mitigate credential stuffing attacks.
These include bot blockers and threat intelligence solutions that alert analysts to unusual network traffic and login attempts. Organizations can also adopt more stringent password practices, including 2-factor authentication, password managers, and using strong (e.g. not “yourefired”), unrepeated passwords.
Monitoring open-source data for vulnerable credentials also helps detect blind spots leveraged by credential stuffers. For example, locating your company’s login data on dark web forums, marketplaces, and paste sites can indicate new or old leaks that may be used for credential stuffing. This information is increasingly available on more obscure deep websites and social platforms, too.
Some threat intelligence platforms also offer access to leaked credential databases—the kind used by adversaries to build credential stuffing campaigns in the first place.
Searching for your company’s digital assets across these databases can signal where passwords need to be updated, especially from older breach events that victims might have overlooked. Monitoring PII like company email domains as these databases grow is crucial for staying ahead of credential stuffing risks—especially for VIP account takeover that could give adversaries wider system access.
The Echosec Systems Platform shows search results for a company email address within a database of over 10 billion leaked records. The example shows a leaked email/hashed password from Badoo, a dating site. Using corporate PII for personal accounts can further compromise your organization’s data security.
Even with a robust cybersecurity program in place, attackers can access internal networks and data with credential stuffing techniques—even if your systems haven’t been directly compromised. This is what makes credential stuffing so dangerous even though its implementation is relatively simple.
Businesses must monitor technical data feeds and enforce password best practices to detect and prevent credential stuffing campaigns.
As credential stuffing ramps up, cybersecurity teams must also think like the adversary, who builds these campaigns with PII from known and emerging deep and dark web sources, social platforms, and breached data repositories.
Scanning these sources in real-time for your business’s digital assets is crucial for more comprehensive protection against credential stuffing and its damaging consequences.
Are your employees’ breached logins still vulnerable online?
Book a demo to find out.