Credential stuffing is a low-effort, relatively low-cost means of hacking that does not involve much in the way of technical ability. All it takes is a big list of compromised accounts, something easily found on dark web forums these days.
An example of the scale of credential stuffing campaigns comes from New York, where the state Attorney General revealed that over a million compromised accounts were identified as the result of a recent investigation. These accounts were put to use against 17 online merchants from various industries, and many of these credentials had not previously been seen.
Stolen information from data breaches put to use in credential stuffing attacks
Credential stuffing has grown year-over-year in recent years, particularly during the Covid-19 pandemic. Every new data breach that leaks the usernames and passwords of compromised accounts to the dark web provides credential stuffing campaigns with that much more fuel. The campaigns take advantage of the fact that people tend to re-use login names and passwords for multiple accounts, and are not necessarily fastidious about changing their credentials every time a data breach is announced.
Businesses have the means to defend against these attacks, but the New York AG’s report indicates that many are not even as the threat continues to rise. A common problem it notes is that organizations purchase or subscribe to tools that promise to stop credential stuffing attacks, but must be configured correctly to do so. When the configuration isn’t performed correctly, the defenses are not really working the way they should. IT staff often also have trouble identifying incoming credential stuffing attacks, as they can resemble generally less threatening distributed denial of service (DDoS) attacks.
The report also points out that there is not just one safeguard that is a “magic bullet” against these attacks. Successful defense against a blizzard of compromised accounts usually hinges on a layered strategy, including elements such as multi-factor authentication and asking site users to re-authenticate at certain points (such as just prior to making a purchase).
15 billion compromised accounts in the wild
Data breaches have collectively supplied billions of compromised accounts to hackers, and this information is constantly being merged and organized into detailed files that help facilitate cyber crime. Over six months of monitoring numerous dark web forums, the New York AG’s office came up with a count of not just the accounts involved in the recent attacks but all of the compromised accounts currently available to illicit buyers.
All types of organizations can make use of the fruits of this research by perusing the “Business Guide for Credential Stuffing Attacks“, a report created from the findings of this investigation. Among other items, the report describes the typical flow of a credential stuffing attack and breaks down how each of the common defense mechanisms can be correctly applied in a cyber security plan. It also covers the fundamental elements of an incident response plan specific to credential stuffing, something that any business should have on hand in today’s threat landscape.