What is Credential Stuffing? A Complete Guide

Credential stuffing is estimated to cost each business an average of $2.7m a year. With market value growth in digital commerce, e-commerce and online services exceeding $278bn.

The expansion of the digital economy has led to growing digital crime. Automated attacks like credential stuffing impact millions of businesses around the world. But many companies don’t have the right security measures in place to protect their websites, apps, and customers from credential stuffing attacks.

Find out what credential stuffing is, whether you’re at risk, and what you can do to prevent it from compromising your online business.

What is credential stuffing?

Credential stuffing is a type of automated cyberattack. Criminals steal or purchase usernames and passwords en masse from the dark web, then use the stolen credentials to gain unauthorized access to user accounts.

Credential stuffing has emerged as a major cybersecurity problem across the globe. Credential stuffing attacks are constant because of the frequency of data breaches, the success of phishing, and fast monetization of credentials using automation. This in turn creates a vicious cycle through which organizations suffer intrusions in pursuit of credentials and credential stuffing in pursuit of profits.

Why are credential stuffing attacks problematic?

By using swathes of personally identifiable information (PII) sourced often illegally on the dark web, credential stuffing attacks are targeted, specific, and on the increase, placing your business under pressure to stop them. As breaches of personal data directly impact one business the indirect ripple effect can be disastrous for customers and similar businesses as attackers look to exploit the data they have to gain unauthorized access to customer accounts on other company websites, apps and services.

When a credential stuffing attack is successful, hackers gain access to a user’s account, and enables them to commit fraud. Once an attacker is inside they can monetize compromised accounts because they have access to linked bank accounts, personal data and credit cards that they can use for identity theft.

1. Attackers already know credential stuffing works.

Because many people use the same username and password across services, malicious actors can use credential pairs to brute force their way into your customers’ accounts. Prying on less digitally secure online users.

2. Login attempts can be automated at scale

Sophisticated bots with advanced defense bypass tools can easily test thousands of credential pairs on your login page each minute. With advances in AI the complexity and effort in carrying out such attacks as been made more manageable and cost effective. Even a small success rate with credential stuffing tactics for the attacker can spell disaster for your customers.

3. Successful attacks can cause reputational damage and outages

Failing to stop large-scale bot attacks like credential stuffing attacks not only damages your brand and its reputation if successful, but it can also increase the likelihood of your mobile, website, and APIs becoming inoperable due to your infrastructures inability to handle unexpected spikes in traffic or automated requests.

How do Credential stuffing attacks work?

Credential stuffing attacks use lists of leaked usernames, and passwords to continually test credential combinations through automation, until they breach a system. Usernames and passwords are easily accessible in mass data dumps consisting of millions of credentials amassed from years of data breaches. Although some of the data is likely to be stale and unusable, there will be plenty of users that have not updated their passwords in a while and whose accounts are open to attack. Once an attacker has successfully accessed one account, each of the consumer’s accounts using same password are vulnerable to exploitation of the PII it contains. In many cases the PII will be sold on or the account itself will be sold.

A typical credential stuffing attack process by an attacker may look like:

• Creation of a bot that is capable of automatically logging into multiple user accounts in simultaneously whilst faking or rotating IP addresses.
• Executes an automated process using stolen credential details to check if they work across multiple websites. This is automated to avoid repeat logins and allows attackers to quickly verify success.
• Successful login attempts are then monitored, compromised accounts are then datamined for any personal identifiable data, credit or payment method information.
• Compromised account information is either retained for use or sold on.
• Compromised data can be used to carry out future attacks such as phising, payment fraud, account takeover, fake account creation or identify theft.

Credential stuffing attacks vs Brute force attacks Key differences

Credential stuffing is similar to a brute force attack, but there are several clear differences:

• Brute force attacks will try to guess credentials without context, using commonly used password patterns, random strings, and dictionaries of common phrases
• Brute force attacks succeed if users choose simple, guessable passwords
• Brute force attacks lack context and data from previous breaches, making their login success rate much lower

In modern web applications with more basic security measures in place, brute force attacks might fail – but credential stuffing attacks often succeed.

Why do credential stuffing attacks happen?

Credential stuffing is one of the easiest ways for hackers to verify online account details. They can then:

• Steal money directly if they manage to access bank accounts or other financial services
• Defraud customers by stealing their identities or other personal information
• Get valuable data to sell or ransom for large amounts of money
• Steal high-value assets like frequent fliers miles and other loyalty reward points.

How common are credential stuffing attacks?

Credential stuffing attacks are on the rise — and they’re getting more successful, too. People sign up for more online accounts every day, with 52% admitting to using the same password for multiple accounts. Password managers are designed to mitigate this problem, but many people worry about storing all their passwords in one place.

Resetting and remembering different passwords is difficult and annoying, so it makes sense that customers use the same password over again. But reusing passwords increases the chance of a successful credential stuffing attack — it means that if hackers get hold of your sole password, credential stuffing can potentially give them access to all your online accounts.

What are the risks to your businesses

With the development of increasingly sophisticated bots, brute force attacks are becoming more successful and more frequent. And it’s not just customers who are at risk from these automated attacks.

Businesses can also see huge financial losses and even closure as a result of credential stuffing attacks. Major risks include:

• Fines and penalties — negligent privacy practices can result in privacy and data breaches that cost businesses millions of dollars
• Website downtime — large-scale attacks can force your website or app offline, meaning genuine users and customers can’t access your services
• Reputation damage — compromised credentials cause anxiety and stress for customers, ultimately damaging their confidence in your business.

How to detect credential stuffing attacks

It’s not always easy to spot a credential stuffing attack. Vigilant detection methods, continuous monitoring, and decisive action are needed to identify and eliminate threats.

Signs of an attack include:

• A high number of failed login attempts
• A high number of login attempts from unusual locations
• A high number of login attempts from IP addresses on blocklists
• An unexpected surge in traffic to your login page
• A higher than usual CAPTCHA test failure rate.

While you can use Google Analytics and other website monitoring tools to track these metrics, using a dedicated bot analytics platform makes it easier and faster to see and stop credential stuffing attacks.

Credential Stuffing Prevention

There are a range of measures available to help protect your attack surface from credential stuffing attacks:

Multi Factor Authentication (MFA)

MFA requires users to authenticate themselves using a device they have using information they know. Often seen as the strongest defence against credential stuffing. Bot operators are unable to use a physical verification method such as a mobile device. MFA controls can also be combined with other detection techniques such as IP or device fingerprinting, effectively offering an additional layer of protection when there is a higher element of risk detected.

Captcha

CAPTCHA requires users to overcome a challenge to prove they are human and not a bot. This can reduce the effectiveness of attacks. CAPTCHA is a visible form of defence and as a result is easily bypassable by attackers. CAPTCHA farms are regularly used by bot operators to overcome such defenses. CAPTCHA can also be applied as a multi layer protection in combination with other methods. At Netacea we believe this should be a soft additional layer but not your only defense.

IP Blacklisting

Known attacker IPs can be blacklisted or blocked when multiple login attempts are detected or attempts are made from the same pool of IPs into multiple user accounts. By tracking IP activity and regularly updating IPs from known attacks you can build a defense over time. However IPs used by bot operators are susceptible to change and without close scrutiny of traffic behaviour it can be hard to spot.

There are also readily available data feeds that provide threat intelligence of known IP addresses. These feeds offer more robust forms of defense to ensure you are up to date. Explore Netacea’s bot threat feed for more information on what Netacea provide.

Rate Limiting

By limiting the flow of requests from certain traffic sources within a given timeframe you can easily gain control over network traffic that is almost certainly automated or potentially malicious. Identifying and limiting this traffic source vs genuine user traffic allows for more careful control of key path requests to reduce the chances of abuse, use of service or DDOS attacks. Common data sources such as AWS or commercial data center traffic is easily identifiable within modern network monitoring tools.

Stronger Account Hygiene Controls

By stipulating and preventing multiple use of email addresses as usernames or vice versa, the ability for attacks to be successful is reduced. With stronger controls around passwords and the need for certain lengths, character use and so forth help users falling into simple habits and using the same username and password that they may have in use elsewhere. Many browsers now offer the ability to use strong passwords that are automatically generated and proposed to the user. These suggested passwords can also be stored within password managers or encrypted keychains to aid user adoption.

Device fingerprinting

With the use of identifiable JS code, information from users devices can create an identifiable digital fingerprint on each session. Fingerprints usually form a combination of device operating system, browser, language settings, time zone, location data, user agents, http request headers and or IP address.

How to protect your business from credential stuffing attacks

Measures like multi-factor authentication, CAPTCHA, and device fingerprinting offer limited protection from credential stuffing attacks. You can also put password protection measures in place, and warn users against using the same passwords across multiple sites. But these solutions add barriers for genuine users as well as bots, reducing legitimate login attempts and conversions.

The best way to protect your site from bot attacks is to implement a bot management system. Bot management software allows you to monitor your site traffic in real-time, and block bots rapidly before they can attempt a credential stuffing attack.

This anti-bot solution also protects your site from other bot attacks, such as DDoS, scalping, scraping, and carding. It’s an easy way to ring fence your website against all kinds of automated threats.

The future of credential stuffing

Credential stuffing risks are on the rise. As more business is conducted online, bots are becoming more sophisticated and evasive. Plus, regulatory penalties are getting stricter, so there’s more reason than ever for businesses to take online security and data protection seriously.

To stay ahead of the curve, you need a bot management system that can keep up with increasingly advanced bot developments. Find out more about the dangers of credential stuffing bot attacks and how to tackle this growing problem.

How Netacea helps stop credential stuffing attacks?

Netacea Bot Protection is trusted by brands to detect and stop credential stuffing attacks across websites, apps and APIs. With a single agentless deployment Netacea can monitor all traffic source intent to identify and stop credential stuffing attacks in real-time. With our defensive AI Netacea can adapt to credential stuffing attacks as they evolve, which means you have a more proactive and resillient layer of defence to secure your business and customers without needing to worry about manual updates, multiple deployments and lost time keeping pace.

How Netacea’s defensive AI prevents credential stuffing

Our Intent Analytics™ Engine, powered by machine learning, focuses on what the bots are doing and not just how they are doing it, so malicious bots are hunted out and genuine users are always prioritized. We are then able to dynamically assess what constitutes ‘normal’ behavior over time, by path or location within the website. This allows us to build an accurate model in the context of actual behavior, while providing you with the actionable intelligence you need, when you need it, so you’re empowered to make smarter decisions about your traffic.

Learn more about how to stop credential stuffing attacks with Netacea here.