Credential stuffing is arguably one of, if not the scariest cybersecurity threat we have today. Why? Because credential stuffing can lead to account takeover takeover attacks, through which attackers can gain access to personally identifiable information which they can use for identity theft or fraudulent transactions.

The credential stuffing technique is actually pretty simple: attackers try an already compromised username-password pair on other digital services. However, it exploits a vulnerability that is so often done by many people, probably even you and me: using the same passwords on all our accounts.

Credential stuffing is very dangerous, and in recent years even big brands like Nest, OkCupid, and DailyMotion have all seen their user accounts compromised due to credential stuffing.

This is why in this guide, we will discuss all you need to know about credential stuffing attack, and especially what you can do to protect your business and yourself from this scary threat.

What Is Credential Stuffing Attacks?

We have briefly discussed the definition of the credential stuffing attack above, but here we’ll delve into the technicalities.

As mentioned, credential stuffing is a fairly straightforward technique where the perpetrator already possessed a pair of username and password. Typically the attacker has gained access to a collection of credentials from corporate breaches. These stolen credentials are often sold (or even shared) on various forums and the dark web.

The attacker then simply try to ‘stuff’ all of these username-password pairs on other platforms. For example, if the stolen credentials are from Gmail, the attacker then tries to log in on Facebook with the same credential.

Billions of credentials have been stolen in the past few years alone, a lot of the time, without the owner of the account realizing it. Pair this with the fact that a lot of us tend to use the same passwords and usernames in many different accounts, and this is why credential stuffing is simple, yet powerful and dangerous.

Credential Stuffing VS Brute Force Attacks

Credential stuffing can be thought of as a type of brute force attack, but there are several important uniqueness:

• Brute force attacks, as the name suggests, attempt to guess passwords randomly, or with simple patterns with little to no context.
• Brute force attacks are limited with the limited number of login attempts that are implemented by many websites/systems. A credential stuffing attack, on the other hand, simply tries a pair of username and password and then moves on, so it won’t trigger the website’s security warning.

So, in a modern web application even with the most basic security measures like a limited login attempt, CAPTCHA, and other basic solutions, it’s already difficult for a brute force attack to succeed unless the account is using simple, guessable passwords.

On the other hand, a credential stuffing attack can succeed even in a most secure website and even on accounts that enforce very strong passwords.

How Hackers Attempt a Credential Stuffing Attack

While the process might vary, here is a typical process of how an attacker performs a credential stuffing attack. Remember that the assumption is that the attacker already owns a working password-username pair.

1. The attacker develops/customizes a bot to automatically attempt to log in into multiple user accounts in parallel. The bot typically rotates between different user agents and IP addresses.
2. The bot runs an automated process to ‘stuff’ the stolen credential on many different websites. The process is done in parallel across multiple sites simultaneously to avoid detection and also to eliminate the need to repeatedly log in to a single service over and over again.
3. Monitors for successful login attempts, then salvage anything valuable from the account: credit card information, sensitive data, etc.
4. Retains account information for future use, even to launch other attacks like social engineering/phishing attacks to relatives of the account owner

How We Can Prevent Credential Stuffing Attack

1.Invest In a Bot Management Solution

Due to the simplicity yet effectiveness of a credential stuffing attack in a specific situation, there is no one-size-fits-all solution to protect any account from credential stuffing attacks. However, since most credential stuffing attacks are performed by bots/automated software, then detecting and managing these bot activities can be very effective in preventing the attempt.

It is important to remember that we can’t simply block all bot activities because there are also good bots that are beneficial for your website. This is why a proper bot management solution that can properly identify between good and bad bots in real-time is very important in this process. Solutions like DataDome effectively detect and mitigate bots that may be attempting credential stuffing, protecting your website in the process.

2. Educate Employees and Users About The Importance of Strong, Unique Passwords

Educate your employees and users about the dangers of credential stuffing attack, and encourage them to use strong and unique passwords on each of their accounts. Nowadays, there are also various password management solutions that can help people use totally unique and very strong passwords on all their accounts with ease.

3. 2-Factor Authentication

2-factor authentication (2FA) or multi-factor authentication (MFA) is essentially asking your users for secondary information besides their password before they can access their account.

The second ‘factor’ can be:

• Something you are: iris/retinal scan, fingerprint, etc.
• Something you have: USB dongle, key, etc.
• Something you know: an additional pin or secondary password

The idea is that even in the case of a successful credential stuffing attack, the attacker won’t be able to access the account since they’ll need to guess this second information.

However, implementing 2FA on too many elements on your site can hurt user experience, so make sure to use it strategically. For example, you may only want to implement 2FA when the client’s activity is suspicious (repeated login attempts, high/low bounce rate, etc. )

4. CAPTCHA

Using CAPTCHA is the most basic defensive measure against bot activities, and most of us are familiar with it.CAPTCHA is essentially a test that is (very) easy for humans to answer, but yet is very difficult for a bot/automated software to solve.

However, with the presence of CAPTCHA farm services, using CAPTCHAs alone is now not 100% effective in mitigating bot activities. A proper bot management solution on top of the CAPTCHA test is preferred.

Also, similar to 2FA, implementing too many CAPTCHAs can hurt your site’s user experience, so use them strategically.

End Words

Credential stuffing is a very dangerous cybersecurity threat that can affect virtually all websites, even those with the strongest security infrastructure. The strength of the attack, however, is in its simplicity, which makes it very difficult to defend against.

While there’s no perfect solution in defending against credential stuffing since most credential stuffing attacks are performed by bots, investing in a bot management solution like DataDome is currently the most reliable approach in protecting your site and system from credential stuffing. Yet, educating your users and employees to always use unique passwords is also very important.