- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
In this article, we’ll define credential stuffing and explain the risks that credential stuffing attacks pose to organizations and customers. We’ll cover recent examples of credential stuffing attacks and discuss how to detect and prevent them. By the end of the article, you should understand the full scope of credential stuffing, including how to protect your customers’ and employees’ account credentials with the right tools.
What Is Credential Stuffing?
Credential stuffing is a type of cyber attack that occurs when a person or bot steals account credentials, such as usernames and passwords, and tries to use them to access multiple systems.
Credential stuffing stems from the notion that people use the same usernames and passwords for different accounts. By testing multiple accounts with the stolen credentials, the cybercriminal using a malicious automation tool might be able to gain entry to multiple accounts—exposing both the user and organization to a wide variety of risks.
The Danger of Credential Stuffing Attacks
Cybercriminals use credential and password stuffing attacks to gain access to sensitive financial, corporate, or personal data. A successful attack can harm an organization’s users by stealing their credit card information to make unauthorized purchases, draining their bank accounts, or selling their information. This type of attack is often automated through bots, making it easy for criminals to scale up attacks to impact a large number of people with a single infiltration strategy.
Credential stuffing attacks damage the trust, credibility, and reputation of infiltrated organizations—with consequences ranging from lost customers and revenue to a deluge of complaints on social media negatively impacting brand and reputation. Meanwhile, an attack puts an extra burden on your teams. Your security team has to spend more time reviewing existing security protocols and shoring up vulnerabilities. Legal has to deal with penalties if law violations occur.
Credential stuffing costs large companies over $2 million per year just to get help with resetting passwords after an attack.
How Does a Credential Stuffing Attack Work?
The attacker first collects account details that they either purchased on the dark web or gleaned from a data breach. Once the stolen credentials are in hand, the attacker attempts to log in to multiple accounts at the same time, typically using a bot or other automated tool that can evade security systems.
If a login attempt is successful, the attacker can then grab sensitive information and use it in a number of ways, such as making purchases or committing other financial fraud. The attacker can change account security settings to lock the authorized users out. They can also sell the personal information they find or even sell access to the hacked accounts.
In the process, a skilled attacker can learn more about the system they’re compromising and find other entry points they can use for additional attacks. It’s also important to note that, because the attacker has a valid user’s account credentials, it’s often difficult for the company to notice suspicious activity right away. It could take months before credential stuffing detection turns up anything, after which extensive damage is already done.
It can take up to 10.5 months to detect credential stuffing.
Popular Credential Stuffing Attack Tools
There are several popular credential stuffing tools today that cybercriminals can easily and cheaply buy online. These tools enable credential stuffing by accessing and combing through lists of users’ prior credentials and then automating login attempts.
Some popular tools include:
- Black Bullet
- Private Keeper
- Sentry MBA
Examples of Credential Stuffing Attacks
Companies across industries are vulnerable to credential and password stuffing, especially if a large portion of business is conducted online. Online transactions create the opportunity for data breaches, which expand and compound the credential stuffing problem.
Here are a few notable credential stuffing attack examples from recent years.
State Farm faced consumer trust fallout and potential legal action
In 2019, a malicious actor used account credentials that had likely been found on the dark web to break into the company’s online accounts. While it appeared that no fraudulent activity happened as a result of the State Farm credential stuffing attack, the company wasn’t sure how many of its 83 million customers were affected.
State Farm suffered a hit to customer trust and brand reputation, and faced possible consequences from the Federal Trade Commission.
Zoom tries to recover 500,000 users’ credentials
In a 2020 Zoom credential stuffing attack, hackers gathered old Zoom account usernames and passwords from breached databases available on dark web forums. Some of the stolen credentials were the result of hacks dating back as far as 2013. The attackers then used multiple bots to attempt to gain entry to the Zoom accounts. Half a million Zoom user credentials ended up for sale again as a repackaged database on the dark web.
Zoom had to hire multiple intelligence firms to find the compromised passwords and another firm to shut down thousands of spoof websites trying to trick users into revealing their credentials.
Spotify cleans up second credential stuffing attack in months
In February 2021, attackers obtained a database with the account credentials of 100,000 Spotify users, then used a malicious logger database to try to get access to the accounts with the apparent goal of taking them over. It was the second Spotify credential stuffing attack in months, with the first one happening in November 2020.
Spotify had to prompt all 100,000 impacted users to reset their passwords, as well as urge the hosting ISP to take down the fraudulent database.
How to Detect Credential Stuffing Attacks
Detecting credential stuffing attacks can be challenging since attacks often look like normal user activity. Organizations can detect credential stuffing attacks by implementing an infrastructure access platform with access management and monitoring capabilities. With these tools, IT teams gain broad visibility into all user credentials and activities across all applications, databases, and servers in the network, making it easier to detect an attack.
Together, access management and monitoring ensure that authenticated users can access their accounts without disruption, while also surfacing any abnormal or suspicious login activity at the user or application level.
How to Prevent Credential Stuffing Attacks
Multi-factor authentication (MFA) is a valuable tool for credential stuffing attack prevention that prioritizes both ease of use and security. In addition to a traditional password, MFA requires other ways to authenticate users. Advanced security devices can enable passwordless authentication, such as a biometric reader or smart card. With MFA, attackers have a harder time accessing accounts if they can’t rely on a username and password combination alone or don’t have the necessary device.
Additionally, credential stuffing can be prevented by educating your organization’s users on password security, and prompting them to change passwords on a regular basis. In the event that a password is stolen, this practice has the added benefit of limiting the timeframe in which the stolen password can be used.
Outside of adopting a comprehensive access management platform and MFA, other ways to prevent credential stuffing attacks include using CAPTCHA and security questions, and requiring users to create their own usernames to make them less predictable.
Credential Stuffing vs. Other Cyber Attacks
Credential stuffing vs. password spraying
Credential stuffing involves usernames and passwords that are already known to be associated with a particular account. In contrast, password spraying is when an attacker uses a known username with a commonly used or generic password to try to gain access to the account.
Credential stuffing vs. brute force
A brute force attack differs from a credential stuffing attack in that attackers will run computer-generated combinations of usernames and passwords until they can successfully log in to an account. Essentially, the attacker is “guessing” and using brute force software to do so.
Credential stuffing vs. account takeover
An account takeover is often the result of the process of credential stuffing. Once an attacker successfully gains entry to an account with the user’s credentials, they can then change the account’s security settings, rendering the authorized user unable to access it.
Credential stuffing vs. directory harvest
A directory harvest attack isn’t about compromised credentials but rather about using different permutations of a company’s standard email address format to try to guess valid email addresses. This type of attack is often used to send spam advertising through email.
How StrongDM Simplifies Credential Stuffing Attack Protection
Credential stuffing protection is critical today as widespread data breaches put more and more users’ account credentials at risk. And with advanced technology that makes credential stuffing attacks easier than ever, it’s imperative to mitigate credential stuffing with efficient, simplified credential stuffing solutions.
StrongDM’s infrastructure access platform helps your organization mount a credential stuffing defense through a single-source, centralized process of user authentication and authorization. With one platform, your IT team can securely store user credentials and manage your organization’s authentication methods while monitoring your networks and infrastructure for suspicious activity.
You can ensure your valid users get access to the accounts and systems they need when they need it and prevent credential harvesting at the same time.
Stop Credential Stuffing with StrongDM
Credential stuffing attacks are multiplying as companies continue to digitize and data breaches proliferate. These attacks cost organizations billions of dollars in remediation efforts and diminish the hard-earned trust that’s central to customer relationships, brand reputation, and revenue growth.
StrongDM’s People-First Access platform provides technical staff with secure access to the critical infrastructure they need to be productive. Prevent credential stuffing attacks with the fast, intuitive, and auditable access required for modern security and compliance.
Ready to get started? Sign up for a free 14-day trial of StrongDM today.
About the Author
Andrew Magnusson, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.