Guides

What Is A Credential Stuffing Attack?

Credential Stuffing Attack

Credential cracking and credential stuffing are two of the ways that hackers use bots to compromise your website security. Credential cracking is an attack on the account login page of a website. Hackers start with a list of usernames, but no passwords. By dispatching their BOTS army, they use brute force to run a library you’ve commonly known passwords with a list of usernames. If a login attempt is successful, the hacker changes the password and now owns the account, blocking the real account holder out. Even worse, those successfully cracked credentials are subsequently tested by the hacker manually against other sites on the Internet, and because people reuse the same credentials across multiple sites, the hacker hijacks multiple accounts for one person. The user must now contact all those other websites to unlock his accounts, which the company must handle courteously, to prevent damaging the customer relationship. When this technique of trying credentials and other sites is automated by bots, it is called credential stuffing, which spikes after a significant breach. When the Ashley Madison breach was announced, millions of credentials were available for hackers to test against websites all over the Internet using bots. If those credentials were reused on multiple websites, the bots quickly gain access alerting the hacker who subsequently hijacks the account. This explains why companies around the world see a massive spike in failed login attempts on their website after a major breach announcement and have to absorb the cost of verifying and unlocking accounts for genuine customers.

Credential Stuffing Attack

I would place money on the fact that you have multiple online accounts. Sites you log into using an email and password. Imagine that one of these sites is breached, and a hacker steals those login details. Responsible sites will let you know. They’ll email you, you change your password, and that’s the end of it.

But is it? Sure, you’ve changed your password on the breached site, but that ignores the fact that you’ve used the same email and password combination… pretty much everywhere. And our hacker knows that there’s a reasonable chance you’ve done that. So he or she takes those credentials and writes a few lines of code to automatically try them on a huge list of websites. In just a matter of minutes, they have access to your bank account number and can log your device out of it.

With access to your email they can reset the password to any account they hadn’t already hijacked. They can pretend to be you. For all intents and purposes, to anyone on the internet, they are you. Even if all these websites are completely secure – which isn’t a given – that doesn’t account for all the other, less secure websites where you’ve used those credentials, which are much easier for hackers to breach. With your credentials in hand, they can walk in the front door of any service where you’ve used this password.

This technique is called credential stuffing’, and it’s pretty much the model of a modern digital horror story.

How to prevent credential stuffing?

How to prevent credential stuffing

Credential stuffing can happen to anyone, but there are ways to prevent it or minimize the chances of getting stuffed. For example, using the same password more than once is a really bad idea – you could memorize a different password for each site, but that’s not really practical. By 2020, the average number of online accounts held per internet user is expected to be more than 200, a number that is too large to deal with.

The ideal solution would be to do away with passwords altogether, and we are working towards that, with new technologies like WebAuthn, but we’re not there yet. In the meantime, the best solution is to use password manager software that securely stores your credentials allowing you to access them using a “master” password.

It can also generate randomized alternatives, making your passwords much harder to guess or to crack. It might seem risky to put all your password-protected eggs in one basket, but the benefits of having multiple complex passwords across different sites far outweigh any risk involved. If you’re not already using a password manager, you should start today. Doing so will be a great first step, but to be honest, that’s all it is.

If you want to get serious about security, you need to start looking at multi-factor authentication. A factor can be something you know, something you have, or something you are, and you increase your level of security exponentially each time you add a factor. You’ve probably encountered two-factor authentication (or “2FA”) before – it’s being made available by an increasing number of websites and services. Take Gmail – Gmail verifies that you are you by using your password, but if a hacker has stolen your password, that method of verification is now worthless. That’s where 2FA comes in. Gmail sends a unique code to a device it knows you own and then asks you to verify that code. Even if someone has your password, they won’t have that code and will be denied access. Even this isn’t perfect though – text messages can be intercepted using a process called sim swapping – so even as we speak, 2FA is evolving to be more secure, with many companies releasing 2FA apps that remove the need for SMS.

So, that’s where we are technology-wise. But how do you make sure that your data is secure? First, it’s good to check that your accounts haven’t been compromised already. You can do this using www.haveibeenpwned.com, a service that keeps track of data security breaches and will tell you if any of your information has been involved in one. After that, take a look at the Security Checklist – an open-source list of resources designed to improve your online privacy and security. There’s no doubt that when it comes to online security, ignorance is bliss. It’s tempting to just assume that your information is safe in the hands of those you’ve entrusted with it. We’re not going to pretend that 2FA and password managers aren’t inconveniences. But when you total up the sum of your valuable data that exists online, and how that data is only going to grow in the future, it quickly becomes apparent just how much you have to lose. And that is what makes increased awareness and security a necessity for us all.