Move Over, Brute Force Attack. Credential Stuffing Works Better.

Research from Akamai revealed that 28 billion credential stuffing attacks were detected in the second half of 2018, with as many as 115 million malicious login attempts per day in some cases. Retail websites were the most popular target, while financial services companies and the portfolios and account information of their customers were also at the top of hacker wish lists. Dunkin Donuts, Reddit, Intuit, Citrix, DailyMotion and AdGuard have all reported credential stuffing incidents in recent months.

Credential stuffing is a technique in which hackers take large collections of usernames and passwords harvested from previous data breaches, and attempt to “stuff” those credentials into the login page of an application or website. Unlike brute force attacks, which involves trying to access one account with multiple passwords, credential stuffing attacks involve many user accounts and multiple systems across a network.

While brute force attacks can be stopped by locking an account after a certain number of failed login attempts, credential stuffing is more difficult to detect because login attempts are spread out across multiple accounts and systems. The challenge is to distinguish legitimate login attempts and activity from credential stuffing attacks.

Hackers also use tools to appear as if their login attempts are coming from different locations and browsers, which would resemble normal activity. Despite the threat, many organizations are hesitant to implement additional defenses that could make logging in more cumbersome.

The key to successful credential stuffing is having a large list of user credentials. After a data breach, hackers post massive collections of user credentials – often in the hundreds of millions – for sale on the dark web. Credential stuffing attacks are successful because most people use simple, predictable passwords and the same username-password combination across multiple accounts.

Unfortunately, credential stuffing will remain a popular attack technique as long as web users are irresponsible with their passwords. In fact, research from the UK’s National Cyber Security Centre found that a list of the top 1,000 passwords will work 75 percent of the time. According to a survey from Virginia Tech University and Dashlane, most people don’t even change their password when they know it was breached. Seventy percent of respondents used the same exposed password for up to a year, while 40 percent used them for at least three more years.

There isn’t much you can do to reverse decades of sloppy password practices by your employees on their personal accounts. However, you can create and document a password policy that lays out clear procedures for creating complex passwords and updating them every month. You should use tools to automate these processes to minimize the risk of human error and laziness.

There are also tools that can detect and prevent credential stuffing without affecting the customer experience. Multifactor authentication and bot detection technology such as CAPTCHA can reduce or even eliminate automated logins. Because it’s impossible to stop every attack, make sure you have an incident response plan to minimize the impact of credential stuffing.

Credential stuffing is a growing but largely preventable problem. Let us help you develop and enforce a strong password policy and implement the necessary detection systems to minimize the risk of a breach.