Credential Stuffing

04.10.2019 Read
Credential Stuffing

You might have noticed this incident: Users of some online service providers lose their accounts en masse yet the companies assert that there haven’t been any intruders on their systems. It may sound unlikely, but in most cases they have a valid point. With the new hacking technique called credential stuffing, it is possible. Read our article to learn more.

What is credential stuffing?

Credential stuffing is a new cyber attack technique employed by hackers. It is a very straightforward practice: The hackers obtain the credentials of various users through a data compromise on one service, and they use these credentials to log into a whole another service. This technique has a whooping success rate because many people prefer using the same credentials across various services since it is easier to remember one set of credentials instead of tens. Additionally,  it might be beneficial for you to check the state of  cyber security in order to see what can be done to protect your business. For instance, a hacker might obtain the list of username and password combinations through an unfortunate data breach of a large service provider. Then they employ numerous bots in an attempt to log in to another service provider. A bank, a streaming service, a mail service; you name it.

The hacker tests the chance that the person whose credentials they have use the same e-mail address and password for another account. Most of the time, people use same e-mail address, username and password across various sites. Thus, once one of your credentials are stolen, you risk losing almost all online accounts you have. In 2019, credential stuffing is on a rising trend due to gigantic data breaches and huge lists of stolen credentials circulating online. Most hackers even buy those breached credentials on dark net and black markets. Combined with advanced bots, the information on those lists are at best, dangerous.

What is the difference between brute force attacks and credential stuffing?

According to the classification of OWASP, credential stuffing is a kind of brute force attacks because a credential stuffing attack has a 0.1% chance of being successful. As a result, hackers acquire massive sets of stolen credentials and they try to log into various platforms en masse. But from a rather technical point of view, credential stuffing is not very similar to brute force attacks since the latter tries to guess passwords without the help of any clues or even context. With the credential stuffing, the number of potential correct answers is much bigger.

Moreover, you can protect yourself from brute force attacks by using complex passwords but you are more exposed when it comes to credential stuffing. In addition, it is more difficult to detect hackers who employ credential stuffing techniques since the number of wrong guesses are also dramatically reduced.

How can you protect your organization against credential stuffing?

Users can protect themselves from credential stuffing by simply using different password and username/e-mail combinations for different services but it is more difficult for an organization to protect itself from it. Credential stuffing attacks happen because of a data breach. Not necessarily from your organization. You can suggest your users to use a unique password for your platform but there is no efficient way to enforce this principle. One option is running the password submitted by user across a database of known ‘stolen’ passwords. Yet this method is not 100% safe either since the user might be reusing a password from another service, and that service might be compromised in the future.

The only viable solution seems like administering additional login security features and two-step authentication processes. It may seem inconvenient for your users but the protection is definitely worth the inconvenience. SOAR solutions help you to detect compromised credentials. Additionally, there are other  available features of SOAR, you might want to checkSOAR use cases.