Credential Stuffing: How does it Compare to Similar Attacks?

AT LEAST 7.9 billion records, including credit card numbers, home addresses, phone numbers and other highly sensitive information, have been exposed through data breaches in 2019,” according to SelfKey. That means data leaks are growing at an alarming rate and any personal information is not safe online.

Moreover, a large part of this stolen data contains usernames or email addresses and passwords, i.e., user credentials. With millions if not billions of credentials stolen every year, cybercriminals create a large database of credentials, which they utilize to perform credential stuffing, creating much more damage. But, what’s credential stuffing? Let’s learn about it and other similar attacks.

What is Credential Stuffing?

Credential stuffing is a kind of cyberattack where stolen account credentials — usually lists of usernames and/or email addresses and passwords — are utilized to gain unauthorized access to one or more user accounts using large-scale automated login requests mostly directed against a web app or a website.

The login requests are automated using standard web automation tools such as cURL, PhantomJS, and Selenium or specialized login software like BlackBullet, Sentry MBA, STORM, etc. Also, ignorant people provide the biggest help to attackers by reusing usernames and passwords on multiple websites.

For example, Dropbox accounts were getting hijacked during October 2014. In a news post, Dropbox announced that the articles claiming that it has been hacked are false. In order to throw more light, it explained that attackers — after gaining user credentials from different websites — are trying to log in to numerous sites across the Internet including Dropbox. That is, it was credential stuffing.

How Unique is Credential Stuffing?

According to OWASP, credential stuffing — one of the common techniques used to take-over accounts — is “a new form of attack to accomplish account takeover through automated web injection. Credential stuffing is related to the breaching of databases; both accomplish account takeover. Credential stuffing is dangerous to both consumers and enterprises because of the ripple effects of these breaches. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.

For instance, attackers gain access to a private repository of Uber in late 2016 using its employees’ credentials. Unfortunately, two-factor authentication was not activated on 10+ employees’ user accounts, allowing the attackers to hijack them. Subsequently, they obtained credentials for Uber’s AWS, which led them to access records of 32 million users and 3.7 million drivers. Then, the attackers demanded a payment of $100,000 for deleting the data. Uber — secretly — paid the attackers through a bug-bounty program. And later, when it got disclosed, Uber was fined £385,000 by the UK Information Commissioner’s Office.

How Dangerous is Credential Stuffing?

We’ve been looking at credential abuse and related attacks since summer 2018, and we think this is one of the key areas the attackers are increasingly transitioning into. We chose to focus on the gaming industry, because it has spawned one of the most active and rapidly evolving underground economies fueled by credential abuse. Attackers see credential abuse as a low-risk venture with potential for a high payout, at least for now. These types of attacks are more likely to increase for the foreseeable future,” according to a report by Akamai (State of the Internet / Security – Web Attacks and Gaming Abuse 2019).

That means credential stuffing is one of the evolving and growing attacks utilized by cybercriminals to wreak havoc across the Internet. That makes it very dangerous for individuals as well as organizations. As it’s highlighted above about Uber, it proves that it’s not just individuals who become victims of credential stuffing. And there is an easy solution: use different passwords each time.

How does it Compare to Others?

1] Credential Stuffing vs. Brute Force Attacks

A brute force attack is where an attacker uses a trial-and-error mechanism to decode or decrypt sensitive data or gain unauthorized access to a computer or an online account. The most common application of such attacks is to crack encryption keys and passwords, which are often functioned using bots.

As quoted above, OWASP places credential stuffing under the category of brute force attacks. The reason being credential stuffing also utilizes a trial-and-error method of using random credentials to gain access to people’s accounts.

However, strictly speaking, credential stuffing is a lot different from traditional brute force attacks. The latter attempts to guess passwords by using random characters along with common passwords. But credential stuffing, though using a trial-and-error method, uses exposed or stolen user credentials. A brute force attack guesses passwords but credential stuffing tries real passwords.

Then, a good practice to avoid brute force attacks is to use long and strong passwords. Since a brute force attack tries every combination, a long password will make it try millions of combinations, making it useless. However, a good defense against credential stuffing is to use different passwords for different services or websites and activate two- or multi-factor authentication.

2] Credential Stuffing vs. Credential Theft

Credential theft is the term for stealing user credentials. It can be done using various mechanisms such as keylogging malware and spear phishing. The first method places a keylogger in the victim’s machine and gains all the text typed by the victim including usernames and passwords. The second method uses email or other electronic phishing tactics to gain the victim’s account credentials.

Credential theft is the first part of any credential-based attack apart from brute force attacks (since it guesses the password). Credential stuffing is another type of credential-based attacks where attackers use stolen credentials to gain access to user accounts. Credential theft is different from credential stuffing since the former is the first step whereas the latter is usually the middle or last step in a credential-based attack. Also, the former is stealing usernames and passwords whereas the latter is using those stolen credentials — a simple difference.