What is credential stuffing? And how to prevent it?

Pierluigi Paganini March 29, 2022

This post explains what is a credential stuffing attack and which are the countermeasures to prevent them.

A credential stuffing attempt can be caught as a behavioral anomaly – if you’re looking. Earmarked by the FBI as a particular threat to the financial service industry just over a year ago, the increase of internet traffic, data breaches and API usage all contribute to the perfect conditions for successful credential stuffing attacks. Here’s what you need to know about how they work, and how you can stay safe. 

What is credential stuffing?

Credential stuffing is a type of attack in which hackers use automation and lists of compromised usernames and passwords to defeat authentication and authorization mechanisms, with the end goal of account takeover (ATO) and/or data exfiltration.” In other words, bad actors glean lists of breached usernames and passwords and run them against desired logins until they find some that work. Then, they enter those accounts for the purpose of abusing permissions, siphoning out data, or both. 

Why is it so prevalent now?

It’s now easier and more economical than ever to come by lists of compromised credentials (many are posted free on hacker forums) and run low-sophistication credential stuffing attacks. Tooling-wise, hackers are also using the same efficient resources used to automate and defend, to automate and attack. These upgraded capabilities include scripting and automation tools, APIs and traffic throttling (to disguise brute force attacks as legitimate traffic).

Also, with the massive push to remote work, XaaS technologies and the rush to the convenience of apps, companies are relying heavily on APIs which are often underprotected. They aren’t customer-facing, and there seems to be a lag in protection owing to that. “Out of sight, out of mind” apparently does not apply to eager cybercriminals, however. And, there remains general bad hygiene surrounding the creation of usernames and passwords, with many being reused over multiple websites. That is the primary way – and indeed the premise upon which – credential stuffing works. You can’t access an account with recycled credentials if there aren’t any.

How credential stuffing attacks work

Here are several steps an attacker could take to implement a successful credential stuffing campaign:

  • Scope out the target and its APIs. Bad actors will look for hosting servers, domain names and vulnerable API endpoints. Over 50% of records breached over the last few years came from apps and APIs.
  • Gathers database of stolen credentials. These lists of pilfered usernames and passwords serve as the ammunition for the attack. If the set of them are reused wholesale, it’s an automatic in. If just one, brute forcing can more easily find out the other.
  • Create a tool to be automated and unsuspicious. Automated tooling or scripts will then brute force the stolen credentials against access points until one of them works. Most hackers make this look like legitimate user activity by limiting the number of attempts per hour.
  • Launch attack. It is common for attacks to be launched from the cloud, or various geolocations, to evade detection.
  • Learn from results and pivot to ATO. Hackers will check for success codes and often code all results into their automation tooling to make the attack ever more efficient in the future. Once they have obtained a workable login, ATO is achieved and data compromise begins.

How to stop credential stuffing attacks

Here are some primary methods for preventing credential stuffing attacks:

  • Multi-Factor Authentication (MFA). “Credential stuffing relies on automation scripts and tools that cannot easily provide additional factors of authentication, particularly mobile phone authenticator tokens or 2FA tokens sent through alternate channels such as email or SMS.” Salt Security says in their recommendations for how to defend against credential stuffing.
  • Good password hygiene and password managers. “If a password is weak or reused across multiple accounts, it will eventually be compromised.” content delivery network Akamai concluded in its State of the Internet report.
  • Runtime behavior analysis. Determine a baseline and identify abnormal behavior. In addition to warning of nefarious activity, it can protect APIs against data scraping, commonly used in credential stuffing attacks.

Secondary methods include:

  • CAPTCHA. Completing a CAPTCHA for each access attempt deters password sprays and nefarious logins. Although there have been cases of “CAPTCHA for hire”, adding on any additional costs reduces the ROI (and incentive) of the attackers.
  • Block-listed IPs. Basic attacks can pull from a small pool of IPs, which can be blocked after several failed login attempts. Public IP block lists are also out there, and you can add those to your list.
  • Fingerprint device. A device fingerprint is matched to your browser, and if the two ever don’t correlate, you’ll be prompted for additional verification. In that event, you should probably also change your password.
  • Provide unpredictable usernames. Instead of allowing email addresses which can be easily found (and guessed), require a distinct and secure username. You can provide a generated (not generic) username to improve user experience.

According to OSWAP , a nonprofit dedicated to making software safe, “In isolation none of these [secondary measures] are as effective as MFA, however if multiple defenses are implemented in a layered approach, they can provide a reasonable degree of protection.” It’s important to note that to avoid disrupting the user experience, secondary methods of authenticating can be employed on suspicious login attempts only.

Proactive Defense

Credential stuffing is a systemic problem with a simple solution. If everybody changed their logins tonight, the issue could be solved by morning. However, in lieu of that, best practices can be put in place and successful. MFA, CAPTCHA and limits on your API go a long way to discouraging hackers and securing access. However, the most effective proactive defense is to track traffic over time. That will identify anomalous patterns in traffic over time and point towards attempted attack, even if other methods fail to do so. 

About the Author: An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites. 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, credential stuffing)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment