In recent years, there has been a lot of headlines surrounding a massive increase in credential stuffing attacks, which have victimized millions if not billions of individuals and a lot of companies. So, it’s very important for us to learn about this specific type of account takeover attack, and especially how we can prevent it.
Credential stuffing is actually a fairly straightforward cyberattack method, but preventing it is a different story. Here, we will discuss all you need to know about credential stuffing, how it is executed, and especially how you can protect your account and system from credential stuffing attacks.
What Is Credential Stuffing?
Credential stuffing is a type of account takeover (ATO) attack where the attacker already possesses a known (typically) stolen credential.
Billions of user credentials (username and password pairs) are circulating on forums and the dark web in recent years as a result of various high-profile data breaches on various organizations. In a credential stuffing attack, the attacker attempts (stuff) this known credential on other websites and accounts.
For example, a hacker might possess a known Gmail credential, then tries this credential on Instagram or Facebook. This is a credential stuffing attack.
The reason why credential stuffing is now very popular is that it works, and it works because many if not most of us are doing simple but very dangerous bad cybersecurity practice: using the same password on all our accounts. It is estimated that 55% of all internet users use the same credentials on most, if not all of their accounts.
Credential stuffing is not to be confused with credential cracking attacks, which are often also known as brute force attacks. In a credential cracking attack, the attacker doesn’t have a known credential so it relies on trying (brute-forcing) all of the potential combinations for the password.
While attackers/hackers can do credential stuffing manually as the technicalities behind it isn’t all that complex, typically they make the use of bots to perform the credential stuffing attack on hundreds or thousands of different websites per minute, much faster than human’s speed.
How Credential Stuffing Attacks Work
While the exact techniques used to perform the credential stuffing attack may vary, here is the typical scenario of a credential stuffing attack:
- Getting valid credentials: before anything else, the attacker must gain access to a known credential or a list of known credentials. For example, the attacker may purchase a list of legitimate credentials on the dark web.
- Preparing bots to perform the attack: with so many different websites and apps available, manually performing credential stuffing is simply not feasible for a human user. Instead, automation is the key. The attacker can either write their own bot program or use various ready-made credential stuffing bots like SNIPR, OpenBullet, and more.
- Masking their identity: many websites have implemented security measures to detect activities from malicious bots. So, the attacker must mask the bot’s identity to appear like legitimate human traffic on the victim’s website. The attacker can use various methods here, including using AI programming to let the bot imitate human-like behaviors, rotating between different IP addresses, and more.
- The attack: once the preparation is finished, the attacker can then launch the credential stuffing attack. The attacker can launch multiple (can be thousands) of login attempts with the help of the bot, and the objective is to obtain a list of successful login requests.
- Monetization: once the attacker gains login access, they look for opportunities to monetize the account. This can include stealing funds from banking accounts, making purchases on eCommerce sites, requesting credit card cash advances, and so on. In severe cases, attackers can use the credential to gain deeper access to a network/system, causing more significant damages like stealing company information or shutting down a system altogether.
How To Prevent Credential Stuffing
Now that we’ve properly understood how credential stuffing works, we can start putting the proper measurements to prevent the attack and protect our accounts:
1. Use Strong and Unique Passwords
An obvious but very important method to prevent credential stuffing is to make sure you use strong passwords and never use the same password on different accounts.
Your password should be at least 8-10 characters long and include a combination of lowercase, uppercase, symbols, and numbers, and you can use various password manager tools (including Google’s free password manager) to easily generate unique and complex passwords for each of your accounts.
2. Multi-Factor Authentication
A very effective measure to prevent credential stuffing attacks is multi-factor authentication (MFA) or also called two-factor authentication. MFA essentially asks for a second factor besides your password before you can access your account, which can be:
- Something you are: your face ID, retinal/iris scan, fingerprint, etc.
- Something you know: additional PIN, second password, etc.
- Something you have: USB key/dongle, a device to pair with, etc.
3. Implementing a Bot Management Solution
Since, as discussed, credential stuffing attacks are typically performed by malicious bots, by properly detecting and managing these bot activities we can effectively prevent these credential stuffing attacks.
However, bots are getting more sophisticated than ever. Many malicious bots are now using AI technologies to impersonate humanlike patterns and rotate between hundreds of user agents/IP addresses. This is why a sufficient bot management solution is required, and a credential stuffing prevention software by DataDome is our recommendation in protecting your system from these sophisticated bots from credential stuffing attacks.
Credential stuffing attacks exploit a very common mistake of using the same passwords on all our accounts. So, the first step in stopping these attacks is to make sure you are using strong and unique passwords on all your different accounts.
Since most credential stuffing attacks are made possible with the help of malicious bots, using DataDome to effectively detect and manage these bot activities is also a very effective solution in preventing credential stuffing attacks and protecting your data.