Credential Stuffing Attack. Everything you need to Know about it.

Credential Stuffing Attack

Cybercriminals and hackers are always on the lookout to find vulnerabilities so they can gain access to your account and ultimately steal your valuable data/information. 

In recent years, there have been a lot of cases of major data breaches, with 540 million stolen credentials from Facebook in 2019 being just one example. As a result of these data breaches, however, there are now millions if not billions of stolen credentials possessed by these cybercriminals that are also circulating in the dark web and various forums. 

Attackers can then try these stolen credentials on other websites, hoping that the owner of the credential happens to have an account on the new website and uses the same username/password pair (which, admit it, many of us do). 

This type of attack is called credential stuffing, and here we will discuss all you need to know about this malevolent attack, and especially how to prevent it from impacting your site. 

What Is a Credential Stuffing Attack?

Credential Stuffing Attack

Credential stuffing is, as briefly discussed above, a type of cyberattack where an attacker is using an acquired (mainly stolen) credential like username/password pair on other websites or services.

Let’s say a hacker possessed a Gmail username and password of an individual. When the hacker tries the same username and password on Facebook, for example, then it is a credential stuffing attack. 

The underlying principle of credential stuffing attack is fairly simple, and it relies on one of the most common cybersecurity mistakes done by so many people (including you?): using the same password on all our accounts. So, stolen credentials from lower-profile websites may work on bigger sites that contain more sensitive data (i.e. a stolen game account can lead to your banking account). 

Since the attacker is using a known and valid credential in a credential stuffing attack, the attack itself is fairly easy to execute with a smaller chance of being detected as opposed to brute force/credential cracking attacks.

How Credential Stuffing Attacks Work

Here is a typical process of a credential stuffing attack: 

  1. Setting up a bot that can automatically log in to multiple user accounts in parallel for each website/service. The bot might be configured to mimic human behaviors and rotate between different IP addresses to avoid detection.
  2. Automatically run through the stolen credentials database and check whether a credential works on the target websites. The bot runs this process in parallel to target multiple different sites (can be hundreds or thousands of websites simultaneously) 
  3. Check for successful logins and then attempt data theft on sensitive information when possible (i.e. financial information, email addresses, physical addresses, etc. )
  4. Change the account’s credentials to make the hacker the new owner of the account. 

How To Prevent Credential Stuffing Attack

Credential Stuffing Attack

1. Investing In a Bot Detection Solution

Since most credential stuffing attacks are now performed with the help of bots, one of the most effective approaches in preventing credential stuffing attacks is to use an advanced account takeover protection software by DataDome that can effectively detect and block malicious bot traffic attempting the attack in real-time. 

Since both bots and humans now use the same browsers and IP addresses, real-time and automated credential stuffing protection is now necessary. Fingerprinting-based detection typically can no longer match sophisticated bots, and this is where AI-powered, machine learning bot management solution is required in effectively preventing credential stuffing attacks. 

2. Use Strong and Unique Passwords, Every Time

The most effective approach in preventing credential stuffing attack is to use strong/complex passwords in the first place. Also, always use a unique password for each of your accounts. 

A strong password should be at least 10 characters long while using the combination of uppercase, lowercase letters, symbols, and numbers. Again, you should create unique strong passwords for each account.

Thankfully, nowadays we can use various password managers to generate and ‘remember’ complex passwords with convenience. So there’s simply no reason not to use a strong and unique password, every time. 

3. Multi-Factor Authentication

Multi-factor authentication (MFA), or sometimes called 2-factor authentication (2FA) is essentially asking for secondary information besides your password before a user can access their account. Thus, in the event of a successful credential stuffing attack, an attacker won’t gain access to the account even if the credential is correct.

The information used in MFA can be: 

  • Something you have: a USB dongle, etc. 
  • Something you know: a secondary password, PIN, OTA code, etc.
  • Something you are: fingerprint, iris, face ID, etc. 

MFA is very effective in stopping credential stuffing attacks. However, requiring too many MFA requests can significantly ruin your site’s user experience and might cause your users to leave.

So you can strategically require MFA only on certain suspicious conditions, for example: 

  • Blacklisted IP address, IP address that has tried to log in to multiple accounts
  • Obvious bot/scripted activities
  • Different browser/device/IP address or other signature
  • Login attempt from unusual location or countries that are considered suspicious

3. Block Older Browsers/User Agents

Although this won’t help with experienced attackers that often mask their user agents and rotate between hundreds if not thousands of IP addresses per minute, this approach can help in defending against less sophisticated attackers and bots attempting credential stuffing attacks

As a general rule of thumb, you should block browser versions that are older than 3 years, and you can implement CAPTCHa for browsers and user agents that are 2 years old or older. 

End Words

As you can see, there’s no perfect method that will 100% prevent attackers from preventing credential stuffing attacks. However, we can certainly make it more difficult for the attackers with the hope that if we can slow them down enough, they will give up and switch to other targets. 

The most effective approach, however, is to have an effective bot detection and mitigation solution that can detect the credential stuffing attempt in real-time. Solutions like DataDome offer a comprehensive bot detection solution that deploys in minutes on any infrastructure, fully autopilot so you don’t have to do anything when a credential stuffing attempt occurs.

When detecting and managing bad bots, it’s very important to avoid false positives and not to accidentally block legitimate human traffic and good bots that are going to be beneficial for your site. This is why getting a proper bot mitigation solution that can perform a behavioral-based analysis is now a necessity for everyone. Credential stuffing can easily affect anyone, no longer an issue exclusive for bigger enterprises and companies.