Credential Stuffing Attacks – A Growing Yet Easily Mitigated Threat

Updated: Jul 30, 2019

TLP:WHITE |The NTIC Cyber Center assesses with high confidence that credential stuffing attacks remain a serious threat to users who recycle the same login credentials across multiple online accounts and who fail to enable multi-factor authentication. We assess that credential stuffing attacks will become increasingly prevalent because cyber threat actors can easily acquire stolen credentials and use automated login tools to test thousands of credential sets against multiple websites in a short period of time. Credential stuffing is a technique in which threat actors use stolen login credentials and automated hacking tools to try to hijack victims’ accounts, steal data, and commit fraud. For example, a threat actor may take sets of stolen email account login credentials, usually acquired through a data breach, and inject them into various social media platforms or banking websites. To gain access to users’ accounts, the hacker is counting on the likelihood that victims have recycled the same usernames and passwords across multiple online accounts. Recent surveys conducted by several cybersecurity firms reveal that users reuse the same login credentials on multiple accounts 59 to 83 percent of the time and that there are 115 to 250 million stolen credential login attempts per day. Credential stuffing attacks differ from typical brute-force attacks because they employ actual known login credential sets rather than randomly trying a list of popular or easy-to-guess passwords with one username. Consequently, credential stuffing can be a more effective technique because it reduces the number of potentially incorrect passwords as well as the time it takes to gain unauthorized access to accounts.


Widespread credential stuffing attacks were first observed in late 2014, fueled by the growth of automated underground marketplaces that facilitate the sale of large amounts of stolen data, including compromised login credentials. It has become easy and affordable for threat actors to obtain large volumes of login credentials via these marketplaces and even less-skilled hackers can use automated hacking tools—such as account-checking software—to conduct these attacks. More sophisticated variations of credential stuffing attacks can bypass some prevention and mitigation strategies such as IP address blocking, rate limiting, JavaScript restrictions, and browser fingerprinting by implementing bots that copy human-like behavior making them indiscernible to anomaly detection systems.


Recent Credential Stuffing Incidents

  • In February 2019, Dunkin Donuts disclosed that users of its loyalty program were impacted by a credential stuffing attack when an unidentified threat actor used stolen credential sets to gain access to customer accounts. This was the second time within a three-month period that a credential stuffing attack targeted the company.

  • Also, in February 2019, software company Inuit disclosed that an unknown number of TurboTax software accounts were breached after an unidentified threat actor conducted a credential stuffing attack against the associated login page.

  • Cybersecurity firm Akamai reports that hackers conducted 12 billion credential stuffing attacks against gaming websites between November 2017 and March 2019.


Recommendations


To effectively defend against credential stuffing attacks, the NTIC Cyber Center recommends the following:

  • Use a variety of strong passwords and ensure each account has its own unique password. A password manager can help users generate and safely store a variety of strong passwords in an encrypted file or vault that can only be accessed via one strong user-memorized password.

  • Enable multi-factor authentication (MFA) on every account that offers it as a security option. MFA reduces the risk of account compromise resulting from stolen credentials because an additional piece of information beyond a password is needed to access the account. Authenticator applications that generate a time-based one-time code for authentication and hardware authentication devices are the most secure options, but SMS-based authentication is more effective than not using MFA at all.

  • Set alerts on reputable breached credential databases to be notified if your email addresses and passwords have been discovered as part of a data breach collection so you can proactively change your accounts’ passwords.

  • Avoid using single sign-on (SSO) services if possible as they can pose major security and privacy risks. SSO can be a single point of failure that allows criminals access to multiple linked accounts and developer misconfiguration can expose more user data than necessary.

  • IT system administrators can implement anomaly detection tools that detect abnormal IP location and login attempts and implement challenge-response tests such as CAPTCHAs to thwart automated access attempts.

The NTIC is governed by a privacy, civil rights, and civil liberties protection policy to promote conduct that complies with applicable federal, state, and local laws. The NTIC does not seek or retain any information about individuals or organizations solely on the basis of their religious, political or social views or activities; their participation in a particular noncriminal organization or lawful event; or their race, ethnicities, citizenships, places of origin, ages, disabilities, genders, or sexual orientations. No information is gathered or collected by the NTIC in violation of federal or state laws or regulations.