Credential stuffing attacks are common causes of data breaches. Here we explain what a credential stuffing attack is, why they are often successful, and steps that can be taken to stop these attacks from succeeding.
What is a Credential Stuffing Attack?
Credential stuffing is a type of brute force attack – an attack where multiple attempts are made to guess a correct password. In a traditional brute force attack, a threat actor tries to gain access to a single account using all possible combinations of passwords, starting with weak and short passwords before moving on to longer, more complex passwords.
Any account that is secured with a password and does not have any other authentication mechanisms in place can be brute-forced, given sufficient time. Accounts with weak passwords can be accessed almost instantly whereas attacks on accounts with long and complex passwords could take many years.
A credential stuffing attack can significantly shorten the time it takes to guess the correct password. In contrast to a traditional brute force attack where all passwords are attempted, a credential stuffing attack uses known username and password pairs that have been previously obtained in data breaches. Those username and password combos are then used to try to access accounts at an unrelated company.
For instance, let’s say Netflix suffered a data breach in which usernames and passwords were stolen. That list of credentials could then be used in an automated campaign targeting Chase Bank customers. The attacker assumes that at least some Netflix customers have accounts with Chase Bank and that some of those customers have used the same passwords and usernames for both accounts. Credential stuffing attacks will be conducted on hundreds of different companies by many different threat actors using the same credentials – Lists of compromised credentials are often traded on hacking forums.
While the success rate for credentials stuffing attacks is low – many estimates put the success rate at 0.1% or less – at scale, these attacks are successful enough to make them worthwhile. If an attacker has a list of 1 million username and password combinations, they would be able to access 1,000 accounts. The accounts that can be accessed could yield valuable information, such as names, addresses, Social Security numbers, and dates of birth that could be used for identity theft. They may contain bank account information and credit card numbers, or information that could be used to conduct convincing spear phishing attacks.
Since credential stuffing attacks are performed by bots, the effort required is relatively low. The software used for credential stuffing attacks can get around common security features such as account lockouts as multiple IP addresses from different device types are attempted simultaneously, blending the attack in with regular traffic.
Credential stuffing attacks are often conducted on websites and they are a popular attack vector, helped by a constant supply of credentials from the huge number of data breaches that are now occurring.
Credential Stuffing vs Password Spraying
Credential stuffing attacks are common, but they are far from the only type of brute force attack. Another common attack is referred to as password spraying, which does not require an attacker to purchase or otherwise obtain username/password combos. Password spraying refers to a brute force attack on multiple accounts using small numbers of passwords.
In a password spraying attack, lists of commonly used passwords are attempted one at a time on a large number of accounts. After the first round, a second password is attempted, and so on. This process can get around security features as the login failures for each account will occur slowly, given a sufficiently large number of accounts to target.
How to Prevent Credential Stuffing Attacks
Credential stuffing attacks work for one reason – People often reuse passwords on multiple accounts. The percentage of people who use the same password for more than one account is incredibly high, with some estimates suggesting that figure may be as high as 85%. If a username and password are compromised in a data breach, all other accounts that use the same username and password combination are at risk.
The solution is simple. Set a unique password for every account, as credential stuffing attacks cannot succeed if unique passwords are created for all accounts. To ensure other brute force tactics are not effective, ensure that the password is long and complex. Since long and complex passwords are hard to remember, the easiest solution is to use a password manager.
A password manager includes a secure password generator that will generate a long, complex, and unique password for all accounts. Those passwords will be stored securely in the user’s password vault. When the user visits a website or service, the password manager will autofill the password so it does not need to be remembered or typed in.
Some password managers provide even greater protection against brute force attacks. Bitwarden, as an example, also has a username generator for generating a unique username for each account in addition to a secure password.