The TurboTax breach. The Disney+ attack. The Ring home camera hack. These stories have made international headlines, but what most people don't realize is that all of these isolated data breaches are part of a larger trend: credential stuffing attacks.

Credential stuffing attacks are one of the most prevalent cybersecurity threats of 2020. On Auth0's platform alone, nearly half of all login requests we receive daily are attempts at credential stuffing. And the problem is only compounding as more credentials are exposed; at present, literally billions of compromised credentials are circulating on the dark web.

In response to this crisis, C-Suite executives urgently need to educate themselves about credential stuffing to protect their users' data, the integrity of their internal systems, and their businesses from regulatory fines and public scandal.

What Are Credential Stuffing Attacks?

Let's say you set M8gu96mB76 as your Netflix password, and then you re-use it (even though you know better) as your password for Amazon, your New York Times subscription, and even your bank account. If a hacker breaks into any one of these systems and gets your password, they could use it to gain access to all the rest. That's credential stuffing since if a hacker steals your password to one site, they can use it to break into every other site in which you used the same password.

It's a form of account takeover, and its consequences can range from frustrating inconveniences (as in the Disney+ hack that locked subscribers out of their accounts) to disturbing and nefarious crimes (such as when hackers broke into Ring home cameras to spy on children).

Here's how a credential stuffing attack usually works:

Step 1: A hacker gains access to a database containing usernames and passwords. This initial cyber attack could happen in a variety of ways, from a sophisticated hack to a phishing attack on an admin with access to the database to unprotected records left in publicly accessible areas.

Step 2: The hacker copies this information and sells it or publishes it (typically on the dark web) for other hackers to use.

Step 3: Cybercriminals use the usernames and passwords from one site to try and gain access to another. The success rate is relatively low, so hackers rely on automation: botnets that try millions of username-password combinations until one grants them access.

anatomy-credential-stuffing

Once hackers gain access to the victim site, they can cause various forms of mischief. Here are three of the most common:

  1. Selling access to compromised accounts: This is particularly common for streaming media services. Disney+, Netflix, and Spotify have all been victims of attacks in which hackers sold access to user accounts for less than the cost of a subscription.

  2. E-commerce fraud: Hackers can impersonate legitimate users at a retail website and order a high-value product, either for their use or for reselling. This is a common (and for criminals, potentially lucrative) form of identity theft, which makes retail the most vulnerable vertical for credential stuffing, according to research from Akamai.

  3. Corporate/institutional espionage and theft: While the above crimes have serious consequences for companies and their customers, this third form of attack has the potential to be most devastating to businesses. If an attacker successfully hijacks the account of an employee or admin, they gain access to all sorts of sensitive internal data, which they can sell to the highest bidder. Naturally, the compromised data can include databases of usernames and passwords, which can then start the whole credential stuffing cycle again.

"Recent hacks on @Disney+ and @ring had their roots in credential stuffing. These strategies can help protect you and your business."

The Costs of Credential Stuffing

Credential stuffing attacks are often discussed in terms of their cost to users, but they can also be devastating to businesses, inflicting financial, legal, and reputational damage.

The Ponemon Institute's Cost of Credential Stuffing report found that businesses lose an average of $4 million per year to credential stuffing. These losses take the form of application downtime, lost customers, and increased IT costs. Large-scale botnet attacks can overwhelm a business' IT infrastructure, with websites experiencing as much as 180 times their typical traffic during an attack. And despite the uptick in reported attacks, it's safe to assume that many businesses do not disclose when their systems are compromised, and their internal data is stolen, so we may never know the full cost.

When credential stuffing attacks go public, some companies have reacted by maintaining that their systems were not breached, and therefore they were not responsible for the inconvenience to users. While this defense is technically true, it tends to fall flat with the public, and there is an undeniable reputational cost when companies suffer a breach of any kind. After all, the headlines typically read "Major Corporation Breached" not "John Doe Attacked Because He's Still Re-Using the Same Password."

Increasingly, regulators, as well as the public, are holding companies accountable for credential stuffing attacks. Companies may be subject to legal action under data privacy laws such as GDPR if they fail to implement adequate security measures to prevent such attacks, fail to inform the public of a breach, or don't do enough to protect passwords.

For example, in 2018, the UK's Information Commissioner's Office (ICO) fined Uber £385,000 for "a series of avoidable data security flaws" that exposed the data of approximately 2.7 million UK customers. The same year, German authorities fined social media company Knuddels for storing unencrypted user credentials, which were compromised in a breach.

"Is your business safe from credential stuffing? Use this article to educate your staff — and test their knowledge with a short quiz!"

How to Protect Your Business From Credential Stuffing

Despite the pervasiveness of credential stuffing attacks, there are some fairly straightforward methods for guarding against them. These safeguards are particularly effective when used in concert with and through third-party providers that can update their solutions to evolve along with hackers' techniques.

Multi-factor Authentication

Multi-factor authentication (MFA) is the single most effective protection against credential stuffing because it requires users to log in with an additional form of authentication rather than the simple username-password combination. This might mean biometric authentication, such as a fingerprint, a one-time code sent to a device associated with the user, or an email sent to a secured account.

The adoption of MFA has been slow due to concerns about its impact on customer experience. Still, businesses can avoid inconveniencing users by applying MFA contextually as opposed to demanding it in every situation. Auth0's platform enables step-up authentication in which users only need to submit additional credentials when attempting a high-risk or suspicious action.

The increasing sophistication and customizability of MFA are helping it catch on in the corporate world, where it will hopefully become the norm. For instance, in February 2020, Google announced it would require Nest smart home users to use two-factor authentication.

Brute Force Protection

This capability can be used to stop attackers from using botnets to flood the system with a high volume of login attempts by locking them out after a certain number of failed attempts from the same user or same IP address.

While brute force protection is an indispensable tool, it can't stop credential stuffing on its own. Today, many hackers use IP proxy services, which can be cheaply purchased and used to circumvent brute force detection by making it appear as though each login attempt is coming from a different IP address.

Breached Password Protection

Breached password protection can take many forms, but it has to start with knowing what passwords have been exposed. Individual users can see if their credentials have been compromised on sites like Have I Been Pwned, but there are enterprise-level solutions as well.

Auth0's breached password detection works by keeping a constantly updated database with hundreds of millions of entries of compromised credentials.

Auth0 customers who enable this feature can customize it, so when a user logs in with compromised credentials, it can trigger several levels of reaction:

  • The user can still log in, but an admin is alerted.

  • The user can log in but must use MFA to verify their identity.

  • The user is not permitted to log in until they change their password.

Password Managers

There are many reputable password managers available that can either autogenerate a unique password for every online account or encourage users to create unique ones on their own since they know they won't have to remember them all.

In a perfect world, everyone would use a password manager rather than recycling the same few passwords, and credential stuffing attacks would be a thing of the past. Unfortunately, businesses can't force their external customers to do this, but they can require it of employees, so this is an effective method to protect your internal systems.

Survey Questions: Is Your Business Safe From Credential Stuffing?

  1. Credential stuffing attacks affect:

    1. Streaming media sites
    2. Online retailers
    3. Internal business systems
    4. All of the above.

    See answer...
    Correct Answer: D

  2. The most effective safeguard against credential stuffing is:

    1. Brute force detection
    2. Security questions
    3. Multi-factor authentication (MFA)
    4. There is no defense

    See answer...
    Correct Answer: C

Let in Users, Lock out Hackers

Until the world at large evolves past the username-password login standard, hackers will continue to engage in credential stuffing attacks. However, given the tools available to guard against credential stuffing, there is no reason why these attacks should continue to wreak havoc on users and businesses. If you'd like to learn how to safeguard your business, contact an Auth0 representative. With the right protections in place, your systems can permit access to legitimate users and lock out criminals with stolen skeleton keys.