Why Are Credential Stuffing Attacks On The Rise?
Part of the difficulty in hardening your cybersecurity posture comes from today’s malicious hackers having so many tools and attack methods at their disposal. Threat actors use an armory of hacking methods ranging from the crude to the highly sophisticated. All it takes is just one area of weakness for hackers to pounce on. Credential stuffing is a type of brute force cyber attack that continues to increase in popularity, and this article explores why these kinds of attacks are on the rise.
What is Credential Stuffing?
Credential stuffing attacks involve using lists of stolen passwords from previous data breaches in a brute force attempt to access other services. Credential stuffing attacks fall into an interesting category in terms of sophistication in that they rely on a brute force method of logging in to a system, but they deploy automated tools and botnets to scale the attacks while evading potential IP blocking mechanisms from multiple failed login attempts on the same computer. (Check out Salt Security’s resource for a far more detailed look at how credential stuffing works and how to defend against it).
An advisory sent by the FBI to financial institutions demonstrates just how serious the problem of credential stuffing is becoming. The document says that since 2017, the FBI received numerous reports of credential stuffing attacks on financial institutions collectively detailing almost 50,000 account compromises. The intelligence service outlines an approximate cost of $6 million for companies affected by credential stuffing incidents.
Why Are Credential Stuffing Attacks Increasing?
Password Reuse
Credential stuffing attacks prey on the common bad security practice of people reusing the same password across multiple accounts in different services. One survey found that 53 percent of people reuse the same password across multiple accounts. Opportunistic malicious actors know about these statistics and they seek to exploit those bad security practices for their own gain.
While the success rate of credential stuffing is typically quite low, the ability to conduct them at a massive scale within a short time frame makes it much more likely to find a valid username-password combination that provides access to another service. If a malicious actor manages to successfully exploit a reused password, the consequences can range from financial fraud to shutting down an entire network. A case in point was The Colonial Pipeline incident, which succeeded because hackers used a compromised password from a dark web data leak to log in to a VPN account.
It’s critical for businesses and governments to communicate the importance of good password hygiene. People should change their passwords often and avoid reusing the same password in two or more different accounts. Upon identifying a data breach, businesses should promptly notify affected users and effectively communicate the importance of changing their passwords for other accounts and services.
Increased Data Breaches
High-profile data breaches make media headlines regularly, but these publicised cases represent just a small proportion of the total number of data breaches that occur. Smaller businesses succumb to data breaches all the time, and while only a few hundred records may be compromised in each incident, it all adds up. IBM’s annual data breach report found that by the end of September 2021, the total number of data breaches already exceeded the number for the entirety of 2020.
The nature of how credential stuffing attacks work is that the more available stolen passwords there are to work with, the more attempts hackers can make at breaching other apps and systems with those same passwords. Data breaches regularly result in lists of stolen passwords being made available for sale on dark web marketplaces. Sometimes, the threat actors that successfully breach one company don’t even ask for money; they simply release all the stolen data that they managed to access.
The result of an almost decade-long trend in data breaches is that there are now billions of username-password combinations available for hackers to reuse in an attempt to compromise services and apps. The relentless stream of double extortion ransomware attacks and other data breaches add to what is a reinforcing loop — data breaches lead to stolen credentials, which then lead to credential stuffing attacks and additional data breaches, and the cycle continues.
Lack of Multifactor Authentication
A lack of multifactor authentication (MFA) is another important reason that credential stuffing attacks aren’t slowing down. By requiring users to provide another category of evidence before authenticating a login attempt, MFA mitigates the threat of credential stuffing because a valid username-password pair is not enough to get into an application or service.
The problem is that while every business has heard about MFA, and almost every security organisation recommends it, a substantial proportion of companies still do not implement it for user accounts. There are some barriers to its adoption; the most important being potentially negative impacts on user experience and implementation costs.
Closing Thoughts
For as long as data breaches happen and poor password hygiene persists, the threat of credential stuffing is not going away. The best actions to take to protect your business include implementing MFA for user accounts, behavioural detection to identify anomalies in traffic and failed logins, and perhaps adding CAPTCHA challenges to login pages.