What is credential stuffing?
Credential stuffing is a type of cyberattack where automated tools are used to repeatedly inject stolen username/password combinations into various services to gain access to legitimate users’ accounts in addition to those that were originally breached. Because people tend to recycle login credentials across multiple unrelated services, once hackers have account information for one app or website, there’s a chance they can log into increasingly valuable accounts.
Credential stuffing attacks can be very costly; in fact, the Ponemon Institute puts the cost to businesses at an average of $6 million per year, and this figure doesn’t include the reputational damage to organizations and the financial losses victims suffer.
The Cloud Threat Landscape
A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques
Explore
Credential stuffing vs. brute force attacks
OWASP categorizes credential stuffing as a subset of brute force attacks because they both involve the use of bots to illegitimately log into accounts. However, there are important differences between credential stuffing and brute force attacks:
| Characteristics | Credential stuffing | Brute force attacks |
|---|---|---|
| Technique | Using credentials from previous data breaches to log into other systems and networks | Randomly trying various common password combinations against a single user account |
| Weakness exploited | Reusing passwords across multiple apps | Using weak or default passwords |
| Detection mechanism | Repeated failed login attempts and suspicious/unauthorized account activity | Repeated failed login attempts, and to a lesser extent, suspicious/unauthorized account activity |
Brute Force Attacks
A brute force attack is a cybersecurity threat where a hacker attempts to access a system by systematically testing different passwords until a correct set of credentials is identified.
Read more
How do credential stuffing attacks work?
Credential stuffing is often a prelude to account takeovers (ATO) and other, more sophisticated attacks. Here’s how it works:
Stage 1 - Collecting data: The threat actor acquires username/password pairs from a previous data breach, a man-in-the-middle attack, the dark web, or a phishing attack.
Stage 2 - Setting up automation: The hacker deploys bots to test the credentials against as many apps and websites as possible. The credentials are typically obtained from one service and used on other unrelated services.
Stage 3 - Attacking: The hacker filters the lot, gathers the successful login attempts, and stores the credentials that have been confirmed as valid.
Stage 4 - Executing the goal: The threat actor carries out the goal(s) of the attack. This may vary depending on the target:
Organizations: Targets administrative accounts to move laterally within the system, conduct further attacks (e.g., malware and ransomware attacks), or steal patents/trade secrets
Email and social media services: Accesses personal and business accounts in messaging services to instigate phishing and social engineering attacks on victims’ trusted contacts
Credential trading: Validates credentials to resell at higher values to other threat actors
How dangerous are credential stuffing attacks?
Also known as credential dumping, most cybercrime statistics estimate the success rate of credential stuffing attacks at a very low 0.1% to 4%, meaning only somewhere between 1 in 1,000 and 4 in 100 attempts will succeed. Yet they remain a favorite of threat actors and are very dangerous to both customers and enterprises because
They are cheap and require minimal tech expertise to conduct; with very little investment, cybercriminals can gain access to high-value accounts.
Cybercriminals can deploy automation scripts and bots to conduct large-scale attacks and circumvent web application security mechanisms like IP blocking.
Credential databases are readily available to hackers; over 24 billion username/password pairs are currently in circulation on cybercrime hubs.
Examples of credential stuffing attacks
The 2022 PayPal credential stuffing attack
Between December 6 and December 8, 2022, cybercriminals stole approximately 35,000 PayPal customers’ personal identifiable information (PII), including full names, social security numbers, tax identification numbers, and credit and debit card details. When PayPal discovered the attack, they immediately instigated measures to close their security gap. By the end of January 2023, PayPal urged password changes and two-factor authentication (2FA) for all affected customers. Still, these PayPal account holders may have reused the compromised credentials on other unrelated services, rendering those accounts vulnerable.
The 2023 23andMe credential stuffing attack
Using credentials obtained from previous data breaches, a set of attackers accessed close to 14 million 23andMe user accounts. The US-based genetic testing company did not discover the attack for five months. This gave the hackers plenty of time to steal PII and PHI (such as DNA information, genotypes, family trees, home addresses, and birthdates) belonging to 6.9 million users and their relatives. Though 23andMe immediately enforced password changes across all user accounts, the attackers successfully released most of the stolen records on the dark web, leading to class action lawsuits against the company.
So how could these attacks have been prevented?
Recommendations for preventing credential stuffing attacks
The OWASP Credential Stuffing Cheat Sheet suggests several prevention mechanisms, including the following:
1. Monitor user activity
The first step to preventing credential stuffing attacks is to monitor user accounts for suspicious or anomalous activity. Watch out for unexpected traffic volume spikes (e.g., too many login attempts at once), resource consumption hikes, faster-than-usual credential entry, failed login attempts, and lateral movement. Robust monitoring requires automated cloud security solutions that enable complete visibility into cloud activity and continuously scan software environments for threats.
2. Use bot-detection mechanisms
Attackers often deploy bots to conduct large-scale attacks. To stop the bots in their tracks, implement bot-detection and deception mechanisms such as CAPTCHAs, puzzles, and honeypots. These can be triggered for high-risk accounts or when anomalous activities are observed. The downside of bot detection techniques is that advanced bots may be able to evade one or more of them. But the good news is that many kinds of free and paid bot-detection software use a combination of these mechanisms, making it very difficult for bots to evade them all.
3. Implement MFA
Multi-factor authentication (MFA) prevents hackers from accessing user accounts, even when they have the correct credentials. The credentials can come from two or more of the following categories: something the user knows (think security questions, passwords, and pins), something they are (like fingerprints or facial recognition), and something they have (for example, physical security keys or OTPs—one-time links or a code sent via email or SMS).
However, the extra time and effort MFA requires may be frustrating for users. To balance security and convenience, implement MFA
As a re-authentication mechanism—before allowing logged-in users to purchase items, transfer funds, or perform other privileged activities.
Alongside user-activity monitoring and bot detection. This way, when bots or suspicious login attempts are discovered, MFA is automatically triggered.
4. Enforce the use of unique credentials
Stop users from reusing credentials by comparing username/password pairs entered during account sign ups to compromised credentials in free or paid credential databases. This is standard protocol in the OWASP Application Security Verification Standard (ASVS) version 4.0. However, users may be reusing compromised credentials that are not yet available in third-party vendor databases, so it can be a good idea to provide users with unpredictable auto-generated usernames.
5. Leverage password-free authentication
Another prevention tactic is to totally abandon passwords in favor of alternative authentication mechanisms such as OTPs, biometrics, and tokens. Considering the limitations associated with enforcing the use of unique credentials, enterprises can opt for these kinds of password-free authentication instead.
6. Integrate obfuscation techniques
Adopt obfuscation mechanisms such as encryption, salting, and hashing to make passwords unreadable to hackers and bots. Encryption converts plaintext passwords into decryptable ciphertexts, hashing scrambles plaintext into undecryptable ciphertexts, and salting adds random characters to plaintext passwords before they are hashed. These techniques protect your passwords as they travel from clients to servers or sit in storage databases.
7. Scan for and alert on anomalous activity
Nip attacks in the bud by notifying users when anomalous activities are detected. Include details such as the time or location of the suspicious activity. Additionally, scan all accounts for the possibility of other ongoing illegitimate activity whenever one or more users reports fraudulent activities.
One caveat: Use notifications sparingly because frequent anomaly notifications may desensitize users.
8. Develop an incident response plan
Have a quick, tried-and-tested incident response plan in place that includes containment, investigation, resolution, notification, and password resets. Slow incident response can lead to more devastating consequences, lawsuits, and fines—and enforcing password changes is crucial to prevent repeat attacks.
How Wiz can help
Credential stuffing attacks are becoming increasingly rampant and sophisticated, with steep financial and reputational costs to organizations. Unfortunately, no single tool or prevention mechanism can fully stop them. However, a combination of user-activity monitoring and other prevention mechanisms can serve as effective deterrents.
Wiz’s cloud security platform is a great place to start. Wiz provides a comprehensive security analysis that includes the inspection of cloud entitlements and configurations, which can help in detecting and preventing credential stuffing attacks. By evaluating effective permissions and identifying misconfigured identity authentication methods, Wiz can help organizations understand the scope of exposure of sensitive data and detect highly privileged or administrator permissions that may be at risk of being exploited in credential stuffing attacks.
Additionally, Wiz's ability to analyze local user configurations for weak passwords and last activity can aid in identifying accounts that may be vulnerable to such attacks. By providing visibility into all cloud identities, users, groups, service accounts, and roles, security teams can inspect the entire identity stack and take steps to harden their security posture against credential stuffing and other identity-related threats.
Learn why CISOs at the fastest growing companies choose Wiz to help secure their cloud environments.
