What is a Credential Stuffing Attack

Look around, and you will find abundant stories of Cybercrime flooding the internet World. Attackers are finding newer ways to steal private customer data from businesses and using them for their own financial benefits. The consequences are even worse for companies whose business itself is solely based on the internet. The Akamai’s State of the Internet report says that over 8.3 billion malicious login attempts were identified in May and June this year. These are nothing but Credential Stuffing Attacks. Let’s learn more about it.

What is Credential Stuffing

While creating a password for your online credit card or internet banking account, you are often asked to create a strong password consisting of a capital letter, special character, number, etc.  Do you come up with something complex as aXZvXjkdA(0LJCjiN? The answer could well be a “No”.

Usually, we try and come up with something that we can remember easily. For instance, [email protected], which, though satisfies all the preconditions of making a password like it contains a capital letter, a number, and a special character – still is not the password that is hard to break nowadays. It’s worse when you use your birthdates, favorite movie names, favorite Basketball player names, spouse name or even your toddler’s name in your passwords. If this was not enough, we tend to use the same passwords for multiple site logins.

Now if even one of the site that you log in is breached by attackers, your login credentials stand exposed and ready to be exploited.

Attackers can then take your credentials and supply them into an automated tool. This tool can then run those accounts against a target site to see what credentials will work. Think about what they can do if they can gain access to a retail site or worse, your banking site? They are stealing sensitive information or even worse, transfer money to other accounts they create. This whole activity of fraudulently gaining access to others account is called as Credential Stuffing.

With Credential stuffing attack an attacker can use automated scripts and bots to try each credential against a target web site. It uses breached credentials in order to fraudulently gain access to online accounts, and can be considered to be a subset of Brute Force Attacks.

Targets of Credential Stuffing

Apart from a normal Internet users, Credential Stuffing attacks are aimed at organizations in a variety of industries like banking, financial services, government, healthcare, education and more.

Consequences of Credential Stuffing attacks

Victims of Credential Stuffing attacks face financial as well as other tangible losses. Here are some of them:

1. Reputation loss

Almost all businesses store some amount of personally identifiable information on employees or customers, and these companies are legally obligated to protect this information. In case of an information breach, the company is bound to face reputation loss in the market.

2. Regulatory Fines

Leaked customer data or business information can often invite regulatory fines. Governments and regulatory bodies can levy stiff fines based on the severity of the breach. These financial burdens can add up and devastate businesses of all sizes.

3. Operational costs

Companies are bound to incur operational costs due to investigations, remediations, and customer management arising out of Credential Stuffing attacks. The cost can scale to millions, depending on the scope of the attack.

4. Customer loss

Customer loss is revenue loss, and most companies are likely to lose customers if they are unable to protect their sensitive business data.

How to prevent Credential Stuffing attacks

Taking some basic precautions is the best way to protect from Credential Stuffing attacks. Here is what all you can do:

1. Best practices for passwords – Adopt best practices when it comes to password management. Set strong and unfamiliar passwords and change them continuously. Also, do not use the same password for multiple logins.
2. Use VPN – With remote access becoming a way of doing business, use of VPN is necessary. A VPN software allows for a secure network connection even on unsecured networks so that employees can safely use their credentials to access the company network from wherever they are.
3. Two-factor authentication – Logins that follow a two-factor authentication offer great protection because the second access code is not stored in a database and hence cannot be trapped. In Two-factor authentication, a password is sent to phone or email and is valid only for 60 sec. This essentially downgrades credential-stuffing attacks to distributed denial of service threats, and hence they cannot penetrate that network’s defenses.
4. Firewalls – Firewalls identify malicious traffic and block the source IP address, shutting down the attack from the source.

Stay safe!

Heard of Password Spray Attacks by the way?