Credential Stuffing Cyber Attack – Examples, Prevention & Detection

Written By Sambita Panigrahy  
Anuraag Singh
Approved By Anuraag Singh 
Published On September 12th, 2023
Reading Time 8 Minutes Reading

In the rise of cyberattacks, hackers are coming up with new & different techniques to target users – Credential stuffing is one of them. In this form of cyberattack, cybercriminals use stolen login credentials from one system or account to attempt to access another (unrelated) system or account.

Caution: People who use the same credentials for more than one account need to watch out for these kinds of credential stuffing attacks.

In the past couple of years, the number of such attacks has been steadily increasing. But, why is it happening so? Let’s have a look at the reasons.

Reason Behind Increasing Number of Credential Stuffing Attacks

The risk of credential stuffing is soaring due to,

1. Credential Availability in Other Platforms: In the past couple of years, usernames and passwords in terms of billions have been stolen or leaked. And, these credentials were put up for sale on the dark web which acts as the source or host of this cyberattack.

2. Latest Technology: With time many sophisticated automation tools such as Bots have been invented. But, they are being misused by hackers. Attacks that use “credential stuffing” make simultaneous attempts to log into numerous accounts using bots or other tools. The tool only makes one attempt to log in to a given system because these bots are designed to test a certain user ID and password combination. Bypassing numerous established security mechanisms, such as those that block IP addresses with too many failed login attempts, is made possible by this.

3. Low Entry Barrier: To carry out a credential stuffing attack, the level of technical skill required is especially low. Anyone having a computer can execute this attack by purchasing credentials on the dark web which may cost $50 USD.

4. Rise in Remote Work: The global pandemic forced users to work remotely in a distributed network. But, the situation was so sudden that the network of the companies left them defenseless and created open doors for the hackers. Cybercriminals took advantage of this loophole by using account credentials from personal accounts to attempt to access business devices and services.

5. Hard to Detect: Last but not least, credential stuffing attacks are very difficult to detect. Because adversaries impersonate a legitimate user, such as an employee, contractor, or even a third-party supplier. This along with other attack vectors makes the job difficult to identify.

credential stuffing attack

Recent Credential Stuffing Attacks

In Jan 2023, one of the biggest electronic payment platforms ‘Pay Pal’ confirmed that it went through a credential stuffing attack. This is a real-life example where unauthorized third parties logged into accounts with valid credentials.

Another biggest credential stuffing example is Norton Lifelock Password Manager. The cyber attackers used stolen credentials to log in to customer accounts and access their sensitive data.

In addition, the biggest name in the food industry ‘Dunkin Donuts’ was hit badly by this attack. This is a credential stuffing example that brings the truth that any industry can be a victim of such an attack.

How Credential Stuffing Works? Understand the Attack Path

Cybercriminals use compromised credentials purchased on the dark web or those that have been stolen from accounts. These login credentials are typically the consequence of a significant data breach or other hacks. Most of the time, this information is easily accessible for a very small cost.

Once the attacker has the login information for at least one online account, they set up a botnet or another automation tool to attempt to get into numerous unrelated accounts at once. In order to avoid activating security technologies that can block foreign or odd addresses & bots typically have a function that masks or spoofs the IP address.

The bot then verifies if any more services or accounts were given access. If the login attempt was successful, the actor would then gather more information, such as personal information, credit card, or bank account details that were already stored.

It doesn’t end here, the fraudsters engage in different scams. For instance;

  • Providing dark web users with access to hacked subscriber accounts for online media, gaming, streaming services, and other services.
  • Making purchases with stored payment methods.
  • Performing an account takeover, in which the attacker seizes control of the account and modifies the security settings, contact information, and other details to facilitate future action.
  • Selling consumer account-based personal information to enable phishing campaigns and promote more sophisticated attack techniques

In addition, hackers can use their time to move laterally, install back doors, learn about the system to use in future assaults, and, of course, steal data if they are successful in breaking into a corporate network through a compromised account, such as one belonging to an employee, contractor, or vendor. It is challenging to identify this activity using conventional security measures because the actor appears to be a legitimate user because they are using authentic account credentials.

how credential stuffing works

An interesting fact is that Credential Stuffing, Brute Force Attacks (BFA), and Password Spraying Attacks, all sound similiar. However, they differ in different aspects. Let’s understand it in depth.

Credential Stuffing Vs Brute Force Attacks – Know the Differences

When a threat actor systematically attempts as many username/guess password combinations as they can to access sensitive data and systems is referred to as a brute force attack. 

Whereas credential stuffing is when an adversary uses stolen credentials & attempts to gain unauthorized access to the system.

There are 3 key differences in terms of,

1. Attack Details:

A threat actor will use a brute-force attack to try to guess the user ID, password, or both in order to obtain access. Most frequently, the attackers base their attacks on widely used passwords or idioms. Generally speaking, an attack only succeeds if the user has chosen well-known and straightforward passwords, such as 123456, Qwerty, or Password.

In a credential-stuffing attack, cybercriminals usually have the user’s login information and they use the same attempt to access a different network. For instance, if an attacker obtains a user’s cell phone service login information through a data breach, they may try to log in to other digital accounts, banking websites, online markets, or other utility services.

2. Access Attempts:

During brute force attacks, The bot is typically trained to attempt several permutations of user IDs and passwords. Although these assaults have grown sophisticated and may be able to bypass security measures, many leads to the IP address being blocklisted as a result of an excessive number of unsuccessful login attempts. Due to this and the absence of information, while attempting to guess the credentials, brute force attacks are much less effective as compared to credential stuffing.

Attacks involving credential stuffing are far more targeted in nature. Here, the bot tests a particular user ID and password on various websites. Such behavior frequently goes undetected by most standard security technologies because the instrument does not make multiple access attempts.

3. Strength of Passwords:

You may avoid the majority of brute-force assaults by choosing strong, distinctive passwords for each website or service since they try to obtain access using a standard, basic password.

Password strength is not a concern in a credential stuffing assault because the attacker uses a compromised account as the origin for subsequent logins. Even the strongest passwords might be dangerous if they are used on many accounts.

credential stuffing attack

Credential Stuffing vs Password Spraying

Let’s understand the difference from the below table.

credential stuffing vs password spraying

How to Prevent Credential Stuffing Attack? Learn Different Safety Measures

To prevent credential stuffing attacks at the enterprise level, there are effective steps that organizations can take. Such as;

1. Activate MFA

This prevention technique implies that users use more than one method to authenticate their identity. Combinations of conventional account credentials, text-based security tokens, authenticator tools, and biometric verification may be used in this. Because attackers often only have access to account credentials, which are mainly useless without an additional authentication factor. So, organizations that enable Multi Factor Authentication (MFA) are much better at keeping themselves safe from credential stuffing assaults.

2. Deploy IT Security Measures and maintain Hygiene

To detect potentially malicious activity, a 360-degree view and monitoring through the Security Operation Center (SOC) are essential. It will provide visibility into the use of credentials across the organization. Plus, it’ll enable you to check the presence of accounts created by attackers to maintain access, and passwords are changed regularly so that stolen credentials cannot be utilized indefinitely.

3. Cybersecurity Awareness

A person who uses the same password for many services is usually invariably the source of credential stuffing attacks. Even if the user chooses a secure password, they run the danger of having it compromised if they use the same credentials for multiple accounts. So, educating employees on the risks of weak passwords is important to avoid the misuse of passwords and it can be achieved through cybersecurity training by professionals.

Sir, for cybersecurity posture management – do we need to target this topic as a blog on systoolsms or only on social media platforms or both?