Credentials are one of the most sought after targets by cybercriminals. Attackers use stolen or compromised credentials to pivot into corporate networks and exfiltrate sensitive data. Credential stuffing attacks are high in the playbook of adversaries because they are easy to execute with a high success rate. According to the IBM Cost of Data Breach 2021 Report “the most common initial attack vector, compromised credentials, was responsible for 20% of breaches at an average breach cost of USD 4.37 million.”
It is important for businesses to build their defenses to mitigate this costly threat. Before delving into these best practices, it’s best to review how credential stuffing attacks work.
How credential stuffing attacks work
Credential stuffing is a type of cyber-attack in which attackers use lists of compromised credentials to automate attacks against authentication and authorization mechanisms to either take over the targeted account or exfiltrate data. Since authentication is almost always achieved through an API, credential stuffing attacks are a major API security risk, says Salt Security.
Credential stuffing attacks look like brute-force attacks, but they are not the same. “Credential stuffing is really a subset of brute force attacks,” says Adam Darrah, director of intelligence with Vigilante. “The major difference is the fact that threat actors are working with previously cracked or dehashed passwords, and passwords that were compromised by other attack vectors, like keyloggers and other malware, so they already have an attack-ready set of credentials at their disposal. Threat actors utilize a litany of brute force checkers, varying in sophistication, to run targeted account takeover campaigns against corporate infrastructure and websites alike.”
Credential stuffing is more prevalent today, as attackers are becoming more sophisticated into spotting gaps into established authentication mechanisms to compromise data stored across multiple cloud platforms. It is also a very effective attack method as the list below demonstrates:
- Nintendo, 2020: Credential stuffing hackers gained access to Nintendo user accounts using breached data and crimeware.
- Zoom, 2020: 500,000 user credentials were breached and put up for sale using crime forums and dark web supermarkets.
- Marriott International Data Breach, 2018: A hacker acquired two employees’ credentials to expose the login credentials of over 5.2 million customers.
- Uber, 2016: The data of over 57 million customers and drivers was exposed in a credential stuffing attack.
An attacker looking to perform a credential stuffing attack will typically:
- Perform reconnaissance of a target and its APIs to gather intelligence.
- Compile a dataset of previously compromised credentials known to be working.
- Configure automation tool with throttling, to feed the compromised credentials and configured to act like a typical human or business activity.
- Launch attack against the login API, often orchestrated from various geographic locations to evade detection.
- Track login credential successes and failures.
Once the attacker has obtained a working login, the bad actor will use it to take over the targeted account (Account Takeover or ATO) and pivot the campaign to exfiltrate data, escalate privileges, or further abuse functionality.
5 credential stuffing prevention tips
The success of credential stuffing attacks finds its root in its ability to rely on human error. People don’t take the time to create extensively unique passwords because of the other hundred they also have to remember. However, there are ways that businesses can reduce the effectiveness of these attacks. The below tips can help.
1. Implement Multi-Factor Authentication (MFA)
“Multi-factor authentication (MFA) is by far the best defense against the majority of password-related attacks, including credential stuffing” notes OWASP in their credential stuffing prevention cheat sheet. Analysis by Microsoft indicates that MFA would have stopped 99.9% of account compromises. As such, it should be implemented wherever possible.
To balance security and user experience, multi-factor authentication can be combined with other techniques to require stepped-up authentication and the use of a second authentication factor only in specific circumstances where there is increased risk. The risk based decision may be supported by context such as login attempts from a new IP address, an unusual location, countries considered untrusted, or blocked IP addresses.
2. Use Behavioral Analytics
Salt Security suggests that “credential stuffing can be more easily and quickly detected if an organization is able to establish baselines of typical user behavior and traffic patterns.” As such, organizations need to define the baselines of typical behavior and be able to detect any suspect activity, such as “abnormal movement of data and the attempted manipulation of tokens, user IDs, or API parameters.”
3. CAPTCHA
Requiring a user to solve a CAPTCHA for each login attempt can help to prevent automated login attempts, which would significantly slow down a credential stuffing attack. However, CAPTCHAs are not perfect, and attackers may leverage certain tools to break them with a reasonably high success rate. To improve usability, it may be desirable to require the user to solve a CAPTCHA only when the login request is considered suspicious, using the same criteria as the ones for leveraging MFA.
4. Device Fingerprinting
Device fingerprinting combines certain attributes of a device to identify it as unique, including operating system, type and version of web browser, language settings, and IP address. Using these various attributes, it is possible to create a fingerprint of the device. This fingerprint can then be matched against any browser attempting to login to the account, and if it doesn’t match then the user can be prompted for additional authentication. Many users will have multiple devices or browsers that they use, so it is not practical to block attempts that do not match the existing fingerprints.
5. IP Block Listing
Less sophisticated attacks will often use a relatively small number of IP addresses, which can be block-listed after a number of failed login attempts. These failures should be tracked separately to the per-user failures, which are intended to protect against brute-force attacks. The block list should be temporary to reduce the likelihood of permanently blocking legitimate users.
As long as businesses depend on passwords and other weak credentials, credential stuffing attacks will continue to exist. The goal of our defenses should be making the process of obtaining credentials as difficult as possible. Weak passwords and password reuse are creating serious security gaps in API security and access control. If a password is weak or reused across multiple accounts, it will eventually be compromised. Awareness around these facts needs to increase, as does the promotion of multi-factor authentication and good API security hygiene.