Credential stuffing - are you doing enough?

Credential stuffing attacks are nothing new and are in fact one of the simplest attacks for hackers to launch. Stuart Jubb, Group Managing Director at Crossword, outlines what credential stuffing is and discusses what companies need to be doing to protect themselves.


Credential stuffing is the name given to the type of cyberattack in which stolen account credentials - lists of usernames or email addresses and the corresponding passwords - are used to gain unauthorised access to user accounts through large-scale automated login requests.


For budding hackers or 'script kiddies' it can be one of the first things that they try for the thrill of seeing that they can gain access to systems. For the more experienced, the potential for credential stuffing attack is much greater - it can provide them with more information on an individual, such as details about their finances, home life. etc. This information can be used to make purchases or spend credit in the account accessed, or to build a curated file on an individual or company that can be sold on the dark web for others to exploit.


The problem is that it doesn’t stop there. When a hacker finds a username/password combination that works, they can then test that combination across popular consumer sites and services, to see whether the same credentials have been used elsewhere – and we all know how often the same password is used. If a hacker gains access to an email account, where they can also read emails and learn details about a person which they can exploit.


Credentials stuffing attacks are not always only about gaining access. They can be automated attacks where thousands of credentials might be thrown at a website and tested from multiple servers. This leads to poor performance on the website and can even take them offline, in a type of denial of service attack. Where this is the goal, stolen credentials are actually not needed at all.


Individuals and companies that become the victim of credentials stuffing attacks can suffer financial and reputational damage, and the issues caused can take a long time to resolve. Companies also risk losing the confidence of customer and investors.


Mitigation doesn’t have to mean complication


There is a number of measures an individual can take to protect their personal information, such as using secure passwords, multi-factor authentication, and keeping anti-virus and other software up to date. The National Cyber Security Centre offers some great additional tips.


For companies, there is a whole host of security solutions available that will help make it harder for hackers to get what they want out of an attack, whether that is disruption, or validated credentials. Our network monitoring solutions from Nightingale and breached credentials tracking platform, Trillion, are both great places to start.


Here are some basics that you should also consider to ensure that your systems are doing all they can to mitigate the risks:


  • You might think you know your website traffic, but do you understand your logon traffic? These are not the same thing, so learn about the patterns in your business.


  • Don’t make the mistake of thinking that employing a login tool such as Captcha is ‘job done’. You can still attempt to login multiple times on different usernames, and that is exactly what is happening during a CS attempt.


  • Monitor your failed to successful login ratio in real-time from all login requests. It might be that a 2%-3% fail rate is normal for your business. If it falls outside this range, it could constitute a credentials stuffing attack.


  • Look at employing time-series analysis to identify sudden peaks in attempted login attempts. There may be seasonal elements to this, for example the start of well promoted sale of concert tickets, or retail event, but you can plan for this, and combined with the successful login analysis it can identify a sudden attack.


  • Advanced attacks can originate from cloud infrastructure. The ranges of these providers are available online and can be used to help mitigate attacks.


The attacks and tools that hackers use are getting more sophisticated all the time. We need to get on top of credential stuffing as an industry. Whilst we’ve only scratched the surface of what is possible, the point is that there is a lot we can do to lower the risks of an attack and to identify it quickly when it does.


Learn more about our breached credentials monitoring platform, Trillion.


Find out how the Crossword Cybersecurity consulting team can support companies with their cybersecurity strategy.