Recently I heard about a cyberattack where hackers take credentials that have previously been exposed and use them to try and bruit force logins at different sites.
This method of attack is called 'credential stuffing'. I find the idea of it to be so simple and so preventable that it shouldn't be a thing, and yet so amazing that it's so effective.
Anatomy of the attack
A general credential stuffing attack will involve these major steps:
- The attacker will acquire leaked usernames and passwords from a breach or credential dump site.
- The attacker uses a botnet or script to test the stolen credentials against desired target websites (for instance, social media sites, banks, or online marketplaces).
- The attacker drains stolen accounts of stored value, credit card numbers, and other personally identifiable information that can be sold or used.
Why is it so effective?
Though successful logins, usually 0.1-0.2% of the total login attempts, allow the attacker to take over the account matching the stolen credentials it's easy to understand why it's so effective... people reuse login credentials. Think about it. How many accounts do you have and how many have you used the same username and/or password at?
Furthermore, the attacker can also use account information going forward for other malicious purposes, for example, to send spam or create further transactions, or try the attack again on other accounts that might be more valuable, like a bank.
According to a report by helpnetsecurity.com, 9,050,064,764 credentials were recovered in 2019 from 640 unique data breaches. The credentials recovered showed that almost a third of internet users that were affected by data breaches last year had reused a password in some form. "94% of those who recycled passwords reused the exact same password, while the other 6% made minor changes such as capitalizing the first letter or adding numbers to the end of their typical password. These tactics are easily defeated by tools, which test for common, slight variations." (5)
This type of lackluster care for our credentials means that attackers can reuse credentials that have been exploited back in 2012!!
What can you do to prevent it?
This is pretty straight forward actually...
- Change your passwords
- keep them all unique from each other
- Don't use one password with minor changes across platforms
- Use 2FA if it's available
According to McAfee survey in 2018,
"Consumers who responded to the survey have an average of 23 online accounts that require a password, but on average only use 13 unique passwords for those accounts. 31% only use two to three passwords for all their accounts so they can remember them more easily. And lists are far from dead, as the most common way to remember passwords is to keep a written or digital list of all passwords (52%)." (3)
I also recommend a password manager to help with this. Password managers are a great way to make sure you have unique passwords across all credentials and don't have to worry about memorizing 100 passwords for all the random sites we sign up for.
And remember, don't use common passwords
- NIST’s Password Guidelines
Top comments (6)
As developers, one of the best things we can do fight credential stuffing is by integrating our authentication backend against databases of compromised passwords and issue warnings to our users:
"This password was recently exposed in a data breach, maybe you should try a different one".
For any service we build that handles money, this can also be used as a tool for reducing our potential liability for fraud! :)
I love this idea of letting people know that their password has been seen somewhere but I have yet to see this used in the wild.
I like to check my own passwords on haveibeenpwned.com/ occasionally.
I saw it somewhere I just can't remember where. I'll see if I can find it.
It just makes use of the haveibeenpwnd api: haveibeenpwned.com/API/Consumers
Great article! I'm performing research for my job and this explanation helps me tremendously. Thanks so much!
Glad it was useful for you _^