10 billion. That’s the number of credential-stuffing attempts in 2022. And as the FBI warned recently, these attacks are growing in volume.
But don’t panic just yet. In this blog, we’ll walk you through credential stuffing, how it can impact your business, and how to protect yourself and your customers from it. So, if you want to keep your business safe and secure, keep on reading.
What is credential stuffing?
Credential stuffing is a type of cyber attack involving using stolen usernames and passwords from one website to gain unauthorised access to another. The attacker uses automated tools to test thousands or even millions of username and password combinations on a target website until they find a match.
Since many people use the same username and password for multiple online accounts, hackers can access other websites. For example, suppose a hacker gains access to a user database from a social media website. In that case, they may use the stolen usernames and passwords to attempt to log in to banking or e-commerce websites.
How credential stuffing works
Credential stuffing uses automated tools to test multiple username and password combinations on a website’s login page. The tools work quickly, testing thousands or millions of combinations in a short amount of time - hence its moniker, ‘stuffing’.
If the attacker gets a match, they can access the victim’s account and potentially steal sensitive information or use it for fraudulent activity. Even if the victim has used different usernames and passwords for different accounts, the attacker may still be able to access other accounts if they can access the victim’s email account.
Credential stuffing examples
Credential stuffing attacks are becoming increasingly common and can significantly impact organisations and their users. Just look at these recent credential-stuffing attacks:
- Dunkin’ Donuts: In 2019, Dunkin’ Donuts suffered a credential stuffing attack that affected an unknown number of users. The attackers used stolen usernames and passwords from other websites to access Dunkin’ Donuts’ customer accounts. The hackers used the accounts to make fraudulent purchases, often using stored value cards that the users had loaded with funds.
- Reddit: In January 2019, Reddit announced it suffered a credential stuffing attack. The attack affected a few users, but the hackers could access email addresses and usernames associated with those accounts. Some Reddit users discovered they were locked out of their own accounts.
- Spotify: In 2020; a hacker posted a database of 380 million records on a hacking forum, which included login credentials for Spotify users. The database appeared to be a collection of stolen data from previous credential-stuffing attacks. The information was used to gain access to Spotify accounts.
- Zoom: In 2020, Zoom confirmed that it had suffered a credential stuffing attack that affected a small number of users. The attackers used stolen credentials from other websites to access Zoom accounts, which they then used to host unauthorised meetings.
- DraftKings: In 2022, the betting site DraftKings suffered a data breach that resulted in $300,000 being stolen from customer accounts. Hackers stole the login information of the impacted customers elsewhere. They then used these passwords to access their DraftKings accounts.
Credential stuffing vs brute force
Both credential stuffing and brute force attacks are methods hackers use to gain unauthorised access to user accounts. The main difference between the two is that credential stuffing involves using stolen login credentials. In contrast, brute force involves using automated tools to guess passwords.
With brute force, the attacker uses software to generate many possible password combinations, which are then systematically tested until the correct password is found. Brute force attacks are time-consuming, but they can be successful if the password is weak or easy to guess.
So if a hacker wants to access a victim’s account, they may use automated tools to guess the victim’s password. For example, if the victim’s password is a common word or a simple combination of letters and numbers, the attacker can use automated tools to try different password combinations until they find the correct one.
Password spray vs credential stuffing
Password spray and credential stuffing are both types of cyber attacks that target user accounts. The main difference between the two is the approach used to carry out the attack.
A password spray attack is a type of brute-force attack that targets many user accounts using a small number of commonly used passwords.
In a password spray attack, the attacker selects a small number of commonly used passwords and tries them against many accounts. This approach reduces the likelihood of the attacker being detected by the target organisation’s security systems.
For example, an attacker might use a list of commonly used passwords (such as “password” or “123456”) and try them against a large number of user accounts. The attacker will try each password against multiple accounts until they find a successful match. MIRACL users won’t even notice such attacks: Our zero-knowledge proof protocol allows us to eliminate vulnerable password databases from the authentication process. You’re protected at all times.
How to detect credential stuffing
Detecting credential stuffing can be challenging as it often involves automated tools designed to evade detection. Still, there are some strategies that organisations can use to detect credential-stuffing attacks. Here are some standard methods:
- Monitor login attempts: Monitoring login attempts can help detect patterns of suspicious activity, such as a large number of failed login attempts from different IP addresses within a short period. If multiple failed login attempts occur from the same IP address, it may indicate an automated attack.
- Analyse user behaviour: Analysing user behaviour can help identify abnormal login activity. For example, if a user typically logs in from a particular location and suddenly logs in from a different location, it could indicate a credential stuffing attack.
- Monitor for known compromised credentials: Regularly monitoring for known compromised credentials can help organisations identify if their users’ credentials have been compromised in a data breach. This information can be used to identify if a credential-stuffing attack is underway.
- Implement IP blocking or rate limiting: That can help prevent credential stuffing attacks by limiting the number of login attempts made from a single IP address within a specified period. That can help prevent automated tools from making multiple login attempts, which can help mitigate the impact of credential-stuffing attacks.
Why is Credential Stuffing a threat to Businesses?
Credential stuffing is a significant threat to businesses for several reasons.
First, it can result in data breaches that expose sensitive customer information, such as financial and personal information. Data breaches can also result in significant financial losses and damage the business’s reputation. And no one is immune: PayPal is the latest company whose accounts were breached in a credential-stuffing attack.
Second, credential stuffing can lead to fraudulent activities on a company’s platform. Attackers can use stolen accounts to make purchases, conduct unauthorised transactions, or commit other forms of fraud.
Finally, credential stuffing attacks can be challenging to detect and prevent. Because the attack involves testing multiple username and password combinations, it could be legitimate login attempts. That makes it difficult for businesses to distinguish between a genuine user and an attacker.
How Can Businesses Protect Against Credential Stuffing?
There are several steps businesses can take to protect themselves and their customers against credential-stuffing attacks:
- Use Captcha or two-factor authentication (2FA): Both methods are effective and annoying at the same time. They slow down users and add friction to the login process. With MIRACL, users can log in immediately and still enjoy the same level of security. It’s 5x faster than passwords, 10x faster than authentication apps, and 15x faster than one-time passwords. Implementing Captcha or two-factor authentication can help prevent credential stuffing attacks by adding an additional layer of security to the login process. Captcha requires users to solve a puzzle or answer a question before accessing the website. In contrast, two-factor authentication requires users to provide a second form of identification, such as a text message or an authenticator app, in addition to their username and password.
- Ditch passwords: With MIRACL, you can let go of passwords for good. Your team members only need to remember one PIN to access all devices. It’s said that businesses should require users to create strong passwords that are difficult to guess or crack. Passwords should be at least eight characters long and include a mix of upper and lowercase letters, numbers, and symbols. However, a 2019 Google poll shows over 52% of users reuse passwords, and around 13% admit to using one password across all accounts. The reason? 68% of password users admit they reuse credentials because they fear forgetting them.
- Educate users: Businesses should educate their users about the risks of credential stuffing and show real-life examples. The “It won’t happen to me”- attitude is still widespread.
Credential stuffing is a serious threat to businesses that can result in data breaches, financial losses, and damage to their reputation. Businesses should protect themselves and their customers by using multi-factor authentication, monitoring for unusual activity, implementing strong password policies, and educating users about the risks of credential stuffing.
Or, they can install MIRACL in minutes and let our authentication tool handle all of the above.
You can try MIRACL for yourself in just 5 minutes and without any obligation here.