Anonymity Credential Stuffing Attack.

Fixxx

Moderator
Joined
Aug 21, 2024
Messages
177
Reaction score
571
Points
93
1732022483132.png

Every year, millions of accounts are compromised through credential stuffing attacks. This method has become so widespread that back in 2022, according to one authentication provider, there was an average of one credential stuffing attempt for every two legitimate account logins. Over the past couple of years, the situation has likely not improved. In this post we will discuss in more detail how credential stuffing works, what data attackers use and how to protect from such attacks.


What is Credential Stuffing?

Credential stuffing is one of the most effective types of account attacks. These attacks use vast databases of pre-obtained usernames and passwords from accounts on various platforms. Attackers then mass-inject these usernames and passwords into other online services, hoping that some of them will work. The attack is based on the unfortunate fact that many people use the same password across multiple services or even use a single password everywhere. Thus, the attacker's expectations are inevitably met and they successfully hijack accounts using passwords set by victims on other platforms.

Where do such databases come from? There are three main sources:
  1. Passwords stolen through mass phishing campaigns and phishing websites;
  2. Passwords intercepted by malware specifically designed to steal passwords;
  3. Passwords leaked as a result of online service hacks.
The last option allows cybercriminals to obtain the most significant number of passwords. The record here belongs to the 2013 hack of Yahoo!, which resulted in the leak of a staggering 3 billion records. However, it should be noted that services typically don't store passwords in plain text but instead use so-called hashes. Therefore, after a successful hack, these hashes must still be decrypted. The simpler the character combination, the fewer resources and time are required to do this. As a result, users with insufficiently secure passwords are at the highest risk from leaks.

Nevertheless, if attackers really need your password even the most secure combination in the world will eventually be decrypted, sooner or later (in the case of a hash leak, most likely sooner). Therefore, no matter how secure a password is - it should not be used across multiple services!

Databases of stolen passwords are constantly growing, being filled with new data. This results in really large archives, the number of records in which far exceeds the population of the Earth. In January 2024, the largest known password database was discovered, containing 26 billion records.


How to protect against Credential Stuffing Attacks?

I recommend implementing the following protective measures:
  • Encourage the use of password managers to generate and store secure and unique character combinations. Such applications can also help monitor leaks and recommend changing passwords if they have been found in known databases.
  • Always enable two-factor authentication wherever possible. This is the most effective way to protect against not only credential stuffing with previously stolen credentials but also any other account attacks.
  • To mitigate the consequences of a successful credential stuffing attack in advance, the principle of least privilege should be applied and robust protection should be used on all devices.
 
Top Bottom