It’s a way of cyber attacking where hackers use compromised user credentials to access a system. They use automated bots to scale because most users reuse passwords and usernames in multiple services. According to statistics, 0.1% of breached account details result in successful login if used in a different service.
Credential stuffing is increasingly becoming a rising threat due to the following principal reasons.;
The presence of more sophisticated bots continuously creates several login attempts while originating from various IP addresses. The automated robots will easily overcome security measures such as blocking IP with numerous unsuccessful login attempts.
Accessibility of a large number of compromised credentials; more than 22 billion combinations of passwords and usernames pairs are available to the hacker community in plaintext.
Table of Contents
How Credential Stuffing Attacks Operate
When cybercriminals want to execute a credential stuffing attack, they add a list of compromised credentials to a botnet, which automatically starts to try the credentials on different sites simultaneously. Large-scale stuffing attacks cause websites to experience up to 180 times the usual traffic, thus overwhelming the company’s IT infrastructure.
Here is a process which the hackers follow carrying out a massive credential stuffing attack;
- They set up a bot that automatically signs into different sites while showing separate IPs.
- Automatically check whether the compromised password and username are valid on different sites. Attackers run this procedure parallel across different sites to avoid login to a particular account repeatedly.
- Monitor all the accounts logged in to acquire financial details such as bank details and credit cards, valuable data, and individual information.
- Preserve the account credentials to use later.
What To Do If You Fall, Victim of Credential Stuffing Attack
Surprisingly, individuals who are victims of credential stuffing rarely recognize that the accounts have been tampered with by another party without attempting to log in to an account that is not regularly used or reviewing their past transactions.
If you notice the attackers have hacked your account, immediately update the password and contact your company to change your account details. Notify your credit company of the credit card fraud and place a fraud alert if you have various online accounts attached to your credit card.
How To Prevent Credential Stuffing Attacks
Although most people know that password reuse is not safe, they choose to use a single password on multiple sites since they don’t want a dozen passwords to remember. You can opt for password managers, though you will pay a lower rate for adoption. The company should take various measures to prevent credential stuffing attacks, such as getting rid of passwords to avoid hackers using stolen credentials to login into accounts.
Here are measures to help you prevent your site from credential stuffing attacks.
-
Use Password Managers
The initial step for protecting your site from credential stuffing attacks is changing those old and duplicate passwords. Investing in password managers is vital; it will provide a secure location to secure your complex and unique passwords.
Password managers also generate complex passwords for each online account, and you don’t have to remember them. It will make it easier for you to regularly update your passwords, especially after getting any notification that a data breach has compromised your details. The application will automatically notify users if their email addresses are accessible in public data dumps.
-
Use a Captcha
When you introduce a Captcha, users will have to act to prove they are not robots, which will make it difficult for a credential stuffing attack to be effective. Unfortunately, attackers using headless browsers can overcome Captcha. However, you can use Captcha alongside various measures on particular instances.
-
Use Two-Factor Authentication
Two-factor authentication builds an additional layer that requires hackers to do more than cracking a password. It involves joining a password with an email address, a mobile device, or a biometric identifier. Enabling two-factor authentication will keep your account safe.
Automated bots can’t adhere to requirements such as physical authentication since they have no access to a mobile device. In most instances, it’s not practical to ask for multifactor verification for the complete website. In this case, combine it with various techniques; for instance, you can only combine multi factor authentication with fingerprinting.
Even though the extra step might feel like a hassle when managing your accounts or making an online purchase quickly, it’s worth the effort.
-
Blocklisting IP
IP blocklisting is an effective way to secure websites against credential stuffing because most hackers have limited IP addresses. Consider sandboxing or blocking addresses trying to sign to various sites. Analyze previous IP addresses that signed in to a particular account and check if they are similar to the one you suspect; this will reduce false positives.
-
Avoid Making Emails Your ID
There have to be identical account IDs and surnames across services for credential stuffing to perform an attack. When the ID is an email address, this is more likely to happen. Restricting email addresses as IDs to users will lower the possibility of different login sites using similar credentials.
-
Device Fingerprinting
Collect information about a user device using JavaScript, then build a fingerprint for every login request. It contains different parameters such as browser, operating system, time zone, user agent, and language. If you notice that a similar combination of parameters is signed in at different times in sequence, that is most like a credential stuffing or brute force attack.
To enforce severe measures such as banning the IP address, use a strict fingerprint with different parameters. If you want to capture a wide range of attacks, use few standard parameters while relaxing measures. For instance, you can decide to ban an account rather than blocking it permanently temporarily; consider using Language + Geolocation + Operating System for a common fingerprint combination.
-
Block Headless Browsers
JavaScript can quickly identify headless browsers, like PhantomJS. Consider blocking headless browsers from accessing your site since these are attackers who will undoubtedly show malicious activities.
Conclusion
Credential stuffing can’t be stopped outright; however, users can make the process of accessing credentials as hard as possible. Reusing passwords and creating weak passwords risk your account security.
Despite your industry, including media, retail, gaming, and entertainment, weak or recycled passwords across multiple accounts will be compromised. Create awareness around these facts among all your employees.
