Cygilant Blog

Credential Stuffing

Posted by Cygilant on Apr 22, 2019

How to Protect Against Credential Stuffing Attacks


It’s impossible to miss the reports of massive, high-profile data breaches. Adobe, Ancestry, Bitly, Comcast, Dropbox, Equifax, Google+, Marriott Starwood, T-Mobile, Ticketfly, LinkedIn, Yahoo and many other companies have leaked massive amounts of personal information, such as user names and passwords. But you may not be aware of what happens to this data after it’s been stolen.

Cybercriminals often purchase stolen data on the Dark Web. For example, on February 17, 2019, a hacker going by the name Gnosticplayers put eight hacked databases containing data for 92.75 million users on sale for 2.6249 bitcoins (about $9,300) on the Dark Web Marketplace known as Dream Market. Previously, the same hacker had posted a batch of 16 databases containing data for 620 million users and another batch of eight databases with data from 127 million users.

Increasingly, this ill-gotten data then fuels what is known as “credential stuffing” attacks.

What is credential stuffing?

Wikipedia describes credential stuffing:

Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to brute force or guess any passwords - the attacker simply automates the logins for thousands to millions of previously discovered credential pairs using standard web automation tools, or tools designed specifically for these types of attacks.

Cybercriminals need vast amounts of data for credential stuffing. After all, it’s a numbers game.

On average, hackers find matches between stolen credentials and a site only about one percent of the time. Nonetheless, the massive amounts of data available clearly make these attacks attractive.  A recent Akamai reported noted that an average of 4.15 billion malicious login attempts from bots had been detected in both May and June of 2018, up from an average of 3.75 billion per month between November 2017 and June 2018.

Why do these attacks occur?

Two factors make credential stuffing attacks feasible.

  1. Individuals tend to reuse the same username and password across multiple sites and don’t change their passwords regularly. A study by Panda Security found that 52 percent of consumers use the same or very similar passwords for different sites and services.
  2. Automated tools can not only enter massive number of credentials, they can work around website safeguards to enable all the malicious requests to blend in with legitimate login attempts without raising suspicions.

For example, most web services employ rate-limiting protections to block floods of activity, so credential stuffing attacks can’t send staggering numbers of logins to a site from the same IP address. Automated tools use “proxy lists” to make requests look like they’re coming from many different IP addresses. Since most websites flag large amounts of traffic from the same browser-type as questionable, credential stuffing tools can manipulate properties of the login requests to make them look like they came from many different browsers. The tools can even integrate with platforms designed to defeat Captchas.


What you can do?

The best way to prevent credential stuffing attacks is for both end users and the companies running sites to take action.

Actions for end users

  • Track data breaches. End users should pay attention when major data breaches occur. If you have an account with a company that experiences a data breach, immediately change your password. And if you use the same username and password for other accounts, change those passwords as well. If you find it difficult to keep up with news reports of data breaches, you can find out if you have an account that’s been breached by checking with com. Simply enter an email address and the service will return a list of sites that may have leaked your credentials.
  • Set unique passwords for each digital account. Make sure each password has no resemblance to the old one. Don’t use the same core word. Don’t put the same special characters in the same positions. Using a password manager will help you create new account credentials for every website you frequent and help you manage those credentials when you visit those sites. A big advantage of password managers is that they let you create and easily manage the types of highly secure passwords that are impossible to remember.
  • Turn on two-factor authentication when available. Two-factor authentication requests additional authentication when you enter your password, providing another layer of protection in the event of a network attack.

Steps companies should take

  • Track and block suspicious login attempts. Companies can track logins that result in fraud and then blacklist the associated IP addresses. If users are located in a specific geographic region, they can establish geofences that block traffic that comes from elsewhere. These measures erode the effectiveness of the proxy lists attackers rely on to mask their mass login attempts, making these techniques more complex and costly. Web-based security products are also available that can block a single IP address or a range of IP addresses that originate too many unsuccessful login attempts. Cygilant’s Managed Detection and Response service can help here, for example.

Data breaches will undoubtedly continue to steal user names and passwords, leaving hundreds of millions of individuals vulnerable to credential stuffing attacks. But by being aware of the problem and implementing simple security measures, you’ll make cybercriminals’ jobs harder and reduce your risk of becoming a victim of these attacks.


Tags: Cybersecurity-as-a-Service

Most Recent Posts

Subscribe to the Cygilant Newsletter