Credential Stuffing

A brute force attack uses a username and password generator to attempt to log in to a system by guessing the credentials of an authorized user with multiple sign-in attempts. Commonly used simple passwords are exploited, as well as phrases and names that are easy to guess.

Credential stuffing is more targeted than a brute force attack. A brute force attack is easy to identify due to the unusual number of login attempts from a certain Internet Protocol (IP) address. Credential stuffing is difficult to recognize because login attempts are made only once on each system. Moreover, IP address spoofing may disguise the source of the login attempt.

Password spraying is a technique used by hackers. They use a list of legitimate email addresses combined with the most commonly used passwords to gain unauthorized access to a system. Secure systems should never allow the use of email addresses for usernames because this essentially gives away half of the credentials to anyone with an email list.

It is shocking to learn how many companies have been subject to a credential stuffing attack. Here is a list of a few major companies that had to deal with this type of cyberattack:

1. HSBC: In 2018, HSBC was subject to a major credential stuffing attack, putting their clients' financial information at risk.
2. DailyMotion: In January 2019, the DailyMotion video website shut down temporarily due to an attack.
3. Dunkin' Donuts: In 2019, Dunkin' Donuts faced two massive credential stuffing attacks within three months.
4. Reddit: Also hit in 2019 was Reddit, which caused customers to lose access to their accounts while hackers stole their data.
5. Deliveroo: In 2019, Deliveroo customers were charged for orders they never placed.
6. Basecamp: In 2019, Basecamp had to fend off a massive wave of illegitimate login attempts over a few hours.
7. Sizmek: In 2019, a Russian hacker attacked Sizmek, a major advertising company. The hacker sold stolen controls to advertising campaigns in a dark web auction.
8. TurboTax: Also in 2019, TurboTax suffered a security breach caused by credential stuffing. Hackers gained access to customers' tax information and social security numbers.
9. Nintendo and Zoom: During the pandemic lockdowns of 2020, Nintendo and Zoom got hacked.
10. Spotify: In 2020, Spotify's music streaming service faced an attack that used information from 380 million user records assembled from different sources.
11. The North Face: In 2020, The North Face Company was also hit hard with a credential stuffing attack. This attack required the retailer to reset an unknown number of their customers' accounts.
12. RIPE NCC: The website domain name registrar RIPE NCC got hit in 2021. This attack targeted the company's single-sign-on (SSO) service, exposing multiple databases and services.

The list of companies damaged by credential stuffing attacks is growing.

Here are the stages of a credential stuffing attack, from data collection to the ultimate account takeover and fraud.

At the beginning stage, credential data is collected. The data may come from a recent data breach, be purchased on the dark web, or be downloaded from freely available public archives. In addition to credential data, hackers may collect application programming interface (API) code, website domain Uniform Resource Locators (URLs), and information about online services such as web servers and cloud services.

Automation

Like setting up a botnet, hackers choose the software tools or write the programming code to execute the credential stuffing attack. These tools are readily available for a low cost. Some more sophisticated programs can avoid the CAPTCHA system, spoof the IP address or hide it, and be customized to respond to any protections that prevent the attack.

Architect

The attack's necessary architecture may include workload distribution across multiple participants, even some that perform computer processing without knowing the goals of the larger project. An example is a computer process server that processes API requests without concern about what they are doing.

Attacking

The attack launches, and then it is a "wait and see" period for the positive login results to accumulate. The results are a list of compromised and working login credentials.

Achievement

The goal of this effort is a full account takeover, a form of identity theft. It may also be a goal to infiltrate a network and steal confidential information, such as corporate espionage.

A hacker may use compromised login credentials to launch another type of attack called phishing. This attack tricks the target into thinking a request comes from an authorized person or a legitimate company. It fools them into doing something like sending money or providing personal information.

The Fortinet Web Application Firewall (WAF) safeguards your assets from known and unknown threats through application protection, API protection, and bot mitigation. Other features include machine learning-based threat detection, Security Fabric integration, advanced visual analytics, and false-positive mitigation. Fortinet WAF throughputs are incredibly fast and secured by encryption when using hardware-based acceleration.

Credential stuffing is an automated cyberattack that inserts stolen usernames and passwords into the system's login fields to achieve an account takeover (ATO) for fraudulent misuse.

To detect credential stuffing, use proactive threat hunting and network monitoring tools to look for signs of malicious activity, such as multiple login attempts from an unauthorized IP address.

To prevent credential stuffing, enable multi-factor authentication (MFA), require complex passwords, and educate employees about the danger of using weak passwords or using the same password on multiple systems.