What is Credential Stuffing?

We all use dozens or even hundreds of different online services: email providers, software applications, streaming services, newspaper subscriptions and much more. Each of these services asks us to create a login – usually at least a username and password. Often, however, these login details are stolen in one way or another and are sold as part of large password collections by cyber criminals. Hackers then use this login data by employing methods such as credential stuffing, for example, to make a profit from the stolen data.

Hackers regularly manage to access the databases of large online services and steal the login details of many, many users. This stolen data is then put up for sale on the dark net in the form of lists. The largest and best-known list is called “Collection #1-5” and contains over 2.2 billion combinations of usernames and passwords – around 900GB of data!

So, what can you do with a list like this? At first glance, not a lot. If a service provider becomes aware of the data theft, they warn their customers and ask them to change their password.

Changing your password does stop hackers from accessing the account concerned. The problem is that many users are creatures of habit. They often use the same email address and password combination for several online services. This is where credential stuffing comes into play as the hackers can then use the stolen login data to their advantage.

With credential stuffing, attackers try to use stolen login details (or “credentials”) to access a system. When doing so, they try many different credentials that they have stolen from other online services. The aim of the attack is to obtain further valuable information from the hacked account, such as credit card numbers, addresses, saved documents, contact data – in short: any other data that they may be able to use to make a profit.

According to statistics, around every thousandth login attempt is successful. In other words, an attacker has to try 1000 different sets of login details to break into a system.

A hacker needs four things for a successful “credential stuffing” attack:

• A list of login details
• A list of popular online services that they want to attack (e.g., Dropbox, Adobe Cloud, Canva, etc.)
• A technique that allows them to use a high number of different IP addresses (IP rotation)
• A “bot” (computer program) that makes login attempts on the various online services completely automatically

With these bots, hackers can try one login after another, systematically changing the originating IP address each time so that the target server doesn’t block the login attempts, as a well-configured server will usually block an IP address if the number of failed login attempts exceeds a certain threshold.

If the login is successful, the bot can then access the valuable information that we mentioned above. The successful login details are also saved for later use – for example for phishing attacks and other similar attacks.

Credential stuffing is often significantly more efficient that the following hacking methods:

• Brute-Force attacks require a much higher number of tries as only random password combinations are tried and not, like with credential stuffing, existing passwords.
• Social engineering usually limits the attack to just one platform (e.g., Amazon), while credential stuffing can attack hundreds of different online services at the same time.

The most simple and secure countermeasure is to use different passwords for different logins. While it’s not exactly convenient, it’s still less of a hassle to come up with a way of remembering all your different passwords than having to change the password for all your logins individually in the event of a security leak.

Effective methods for using different passwords include:

• A password formula, that is the same for all passwords. One good method is to mix the platform name with a fixed number combination. So, your password for Dropbox would be dro33pbox22 and for Amazon it would be ama33zon22, for example.
• Using a password manager; here you can choose between using an app and a browser add-on.
• Using several email addresses and usernames for the different platforms and changing the password each time.

Operators of websites, online stores, and online services have a range of options to choose from when it comes to protecting their users from credential stuffing:

• TOTP-based authentication: uses of a one-off temporary password (time-based one-time password) for the login
• Multi-factor authentication: works by sending an SMS code to the user’s smartphone, for example
• Block headless browsers: like those used by bots
• Block traffic from data centers: like Amazon Web Services or IBM Watson, for example, as bots are often operated from data centers like this
• Use specialized security software: for example, WordPress offers the plugin Wordfence Login Security
• Device fingerprinting: this method identifies different properties of users’ computers, such as the MAC address, the hard drive size, etc. and transforms it into a hash value so that any login attempts from foreign computers can be spotted immediately.