BELLEVUE, Wash., November 18, 2019 — Auth0, the identity platform for application builders, today revealed data insights showing the staggering amount of credential stuffing attacks attempted on its platform on a daily basis. Auth0 detects attacks from more than 50,000 unique IP addresses every day, reflecting the growing sophistication and frequency of cybercrime. Credential stuffing attempts are constantly multiplying, with absolutely no slowdown in sight.
The sheer number of attempts is due largely to the ease and inexpensive manner in which credential stuffing attacks can be orchestrated. Getting access to breached passwords is the first step for attackers, and unfortunately, there are billions openly available on the internet. Auth0's database contains more than one billion breached email/password combinations which are used for its Breached Password Detection feature, the first line of defense against credential stuffing. Breached credentials, in combination with 65% of people reusing passwords across accounts (Google), enables hackers to architect botnets — networks of exploited devices — to direct large-scale attacks in a coordinated manner.
Whereas targeted attacks have a specific and designated entry in mind, large-scale attacks like credential stuffing are automated and intended to attack as many entry points as possible. There is also a proliferation of 'botnets-for-hire' where services are traded among hackers, even rented for nominal fees for use in widespread attacks. And their destruction can oftentimes go unnoticed because these botnets steal insignificant amounts of money from services (like Spotify or Netflix) that actually add up to billions of dollars every year.
Between July and September 2019 alone, Auth0 determined that during a credential stuffing attack, traffic for a particular website may surge as much as 180x the usual volume, with traffic related to the attack itself accounting for 70% of overall activity.
"Unfortunately, it has become very easy and cheap for bad actors to quickly rotate the IP addresses used in an attack. Nearly all of the attacks we detect appear to originate from botnets," said Matias Woloski, CTO and co-founder of Auth0. "Many major brands have fallen victim to credential stuffing attacks this year — causing a significant impact on IT resources, account takeovers, and brand reputation. Even the largest companies are vulnerable if they don't have the right preventative measures in place."
Auth0 is at the front door to stop credential stuffing attacks. Breached Password Detection (part of Auth0's Anomaly Detection), with its internal database of more than one billion breached passwords, enables customers to block user accounts that try to login with compromised information, and only grants access when the password has been reset. This is instrumental in blocking credential stuffing attacks, since hackers rely on people reusing email and password combinations that have already been breached.
In addition, Multifactor Authentication (MFA) is one of the best ways to prevent account takeovers, whether from a credential stuffing attack or something else. In order to compromise an MFA-protected account, attackers would need to access not only a set of breached credentials used across accounts, but also the device used for the second factor. Combatting MFA drastically increases the time and effort needed for bad actors to compromise an account, which makes it infeasible to do at scale. Auth0 is working on additional features to reduce the perceived friction end users experience when MFA is implemented.
"Breached Password Detection and MFA functionality are the critical barriers for preventing credential stuffing attacks. We are continuously improving our features to detect and prevent, and will be rolling out new functionality to have even greater visibility into attacks," added Woloski.
Auth0, the identity platform for application builders, provides thousands of enterprise customers with a Universal Identity Platform for their web, mobile, IoT, and internal applications. Its extensible platform seamlessly authenticates and secures more than 2.5B logins per month, making it loved by developers and trusted by global enterprises. The company's U.S. headquarters in Bellevue, WA, and additional offices in Buenos Aires, London, Tokyo, Sydney, and Singapore, support its customers that are located in 70+ countries.
Matter for Auth0
Racepoint Global for Auth0, EMEA