Credential Stuffing poses a significant threat to cyber security due to internet users’ widespread habit of password reuse. When a data breach occurs, and a database of credentials is leaked, attackers can automate the login process on many websites to identify where these credentials might work. Unlike Brute Force Attacks, which try all possible combinations, Credential Stuffing relies on pairs of usernames and passwords known to have been valid at some point.
To defend against Credential Stuffing, organisations can implement security measures such as requiring Multi-Factor Authentication (MFA), monitoring for unusual login attempts, employing device fingerprinting, and educating users about the importance of unique passwords for every account.
Is credential stuffing a data breach?
Credential stuffing occurs when a data breach is successful, as credentials are stolen during the attack. As data breaches happen all the time, people’s usernames and passwords are traded and sold on the black market. Given the frequency of breaches and the advancement in tools used to bypass login protection, credential stuffing is becoming considerably more common.
How to detect credential stuffing?
Credential stuffing bot detection techniques are not entirely effective, and it is best also to find other forms of protection. However, there are some signs you can look out for. The first of those signs is changes in site traffic. If you detect multiple login attempts on many accounts within a certain timeframe, this likely indicates that credential stuffing is occurring.
If you detect cases with a higher-than-usual login failure rate, do not ignore it. This is also a sign of credential stuffing. Finally, you must look out for recorded downtime caused by an increase in site traffic. If you are mindful of the aforementioned tips, you may have better chances of catching a credential stuffing attempt as it happens. It is wise and recommended that you use bot screening technology to assist you in detecting any attempts alongside this, however.
How to prevent credential stuffing?
Multi-factor authentication is a good way to prevent credential stuffing, mainly if you use it alongside another form of protection. When you use MFA, attacker bots will not be able to access the targeted account even with the correct credentials as they will not have access to the physical authentication method.
CAPTCHA also reduces the effectiveness of credential stuffing as it requires users to take action to prove they are human and not a bot. Unfortunately, CAPTCHA can sometimes be bypassed as hackers can use headless browsers. In this case, using it with another form of protection is best.
Fingerprinting software can be used to counter credential stuffing as well. Fingerprinting works by having a tracking script collect information about your browser and device. It will then create a unique digital fingerprint for each incoming session. The fingerprinting software will then detect credential stuffing by seeing if any of the same data points have been used for several sequential login attempts. You can respond to these potential attacks with appropriate measures, such as banning their IP addresses.
Key Characteristics:
- Automated Login Attempts: Attackers use bots to automate trying different username and password combinations.
- Exploitation of Password Reuse: Leverages the tendency of users to reuse the same credentials across multiple services.
- Based on Known Credentials: Uses previously leaked or stolen usernames and passwords from data breaches.
- Large-Scale Attacks: Often targets many accounts simultaneously, increasing the odds of success.
Examples:
- Real-World Example: The attack on the video service provider Hulu in 2018, which led to unauthorised access to accounts using information obtained from previous data breaches on other sites.
- Hypothetical Scenario: An attacker obtains a leaked database containing usernames and passwords from a forum and uses those credentials to attempt to log in to email providers, banking services, and social media platforms.
Related Terms:
- Brute Force Attack: An attack technique where attackers systematically try all possible passwords for a single account.
- Multi-Factor Authentication (MFA): An authentication method that requires users to present two or more independent credentials to authorise access, helping to mitigate the impact of Credential Stuffing.
- Data Breach: A security incident where information is accessed without authorisation, often leading to credentials becoming available for Credential Stuffing attacks.