Each year around 2-3 billion credentials (username/password logon details) are stolen in data breaches. This is known as credential spillage, because legitimate credentials which rely on being known only by the user and (generally a representation) known by the online account provider, now become known to the attackers and subsequently to a wider audience.
In a credential stuffing attack, these stolen credentials are used to attempt to gain access to many other online accounts. These attacks yield successful logins to other online accounts because people tend to reuse the same credentials on multiple online accounts. If the attempted login is successful the account can be taken over without the site itself having been compromised by a breach or other means.
Credential stuffing has now become a major security threat – its prevalence is such that it represents a significant proportion of total online account login activity. In the online retail sector for example, credential stuffing attacks have been found to account for 80-90% of total login activity; in the airline industry 60%; consumer banking industry 58%; and in the hotel industry 40% of all login activity. It has been found that US consumer banks face losses of $50m per day through credential stuffing attacks, with online retail firms’ losses amounting to $33m per day.
There is significant evidence that many people reuse the same passwords on multiple online accounts, making credential stuffing attacks possible:
- Experian found that the average UK user has only 5 passwords which she uses for 26 online accounts.
- Microsoft discovered that around 20% of the credentials for Microsoft accounts appeared on stolen credential databases.
- Verizon reported that over 70% of employees reuse passwords at work.
There are four stages in a typical data breach:
Stage 1: The attackers steal the data.
Stage 2: The attackers exploit the data through credential stuffing attacks. They may sell the data to close associates to exploit as well.
Stage 3: The attackers sell the data to a wider group through the dark web. At this stage the data is less valuable as it has already been utilized for credential stuffing attacks aimed at the most obvious targets.
Stage 4: The data is included in publicly-accessible stolen credential databases (such as Have I Been Pwned). Its value for credential stuffing attacks is now reduced further.
Credential stuffing attacks take place during stages 2-4. At some point, the breach is identified by the organization, confirmed and then usually disclosed. It has been found to take 15 months on average between the breach and the disclosure.
Other relevant information:
- Credentials from old breaches (including those several years ago) continue to provide value to attackers using credential stuffing, as people tend not to change their passwords over time.
- People also tend not to close unused online accounts. This means that even when unused they are still vulnerable to credential spillage where the data can be used in future attacks.
- Most people use passwords that have previously been stolen. Troy Hunt found that 86% of the 2.2 million passwords found in one new breach, already appeared on his existing database from previous breaches.
- The trend is for larger databases of stolen credentials being posted on the dark web, often containing the contents from multiple breaches. A recent example contained 2.2 billion unique credentials. This makes it easier for attackers to carry out extensive and profitable credential stuffing attacks.
Success rates for credential stuffing attacks are in the region of 0.1 to 1%. In other words, for every 1000 attempts to logon using stolen credentials, between 1 and 10 are successful.
Because the attack entails a high proportion of unsuccessful logon attempts, it is automated. Sentry MBA is the most popular credential stuffing attack software used. The tool is easily available online for free, and is simple to operate. Sentry MBA uses proxies to avoid IP-rate limiting. It can also be configured to get around captchas, and can make it appear that the traffic is coming from different browsers. If setup correctly, it can be very difficult to distinguish against legitimate traffic.
A password spraying attack is quite different. Here the attacker utilizes a small number of commonly used passwords (such as “123456”, “qwerty” or “Password1”) in an attempt to gain access to a large number of online accounts. This is different to a brute force or dictionary attack, where an attempt is made on one account by trying a large number of potential password options. With brute force, the account can be locked out after a few attempts (typically 3-5 attempts within a time period). With password spraying, a single commonly-used password is attempted with a large number of accounts in order to avoid triggering account lockouts. This is why password spraying is often referred to as a “low and slow” method.
In order to protect against credential stuffing and password spraying attacks, individual users should use a password manager to automate unique, complex passwords for each online account. Organisations, on the other hand, wishing to secure employees and customers from these attacks should consider a number of measures:
- Limit the number of failed login attempts over a period of time.
- Monitor repeated attempts to logon from the same client (such as monitoring IP address, user agent, etc.).
- Implement mechanisms to add complexity for automated logon activity, such as two-factor authentication, captcha, geofencing to restrict logins to local regions, etc.
- Implement real-time credential monitoring of login attempts, and take action where stolen credentials are used (the actions can vary from user warnings to enforced password change). Client details of failed login attempts should also be checked against known high-activity clients. Credential monitoring is an unobtrusive way to mitigate risk, and should include stolen credential database searches as well as dark web searching.
This is scary stuff. When you think about all the data hacking and system breaches over the years and then you think about the difference between what you hear vs. the actual number of breaches, again, scary stuff.