Credential stuffing is a type of cyber attack in which stolen account credentials (usually a username or email address and corresponding password) are used to gain unauthorized access to user accounts.
In contrast to credential cracking, credential stuffing attacks do not involve brute force attacks or password guessing.
Attackers use standard web automation tools such as Selenium, cURL, and PhantomJS, as well as tools specifically designed for attacks such as Sentry MBA, SNIPR, STORM, Blackbullet, and Openbullet, to repeat automated login operations based on thousands to millions of previously leaked pairs of credentials
Credential stuffing attacks are possible because many users reuse the same username/password combination on multiple sites, with one study showing that 81% of users have reused their password on more than one site, and 25% of users use the same password for the majority of their accounts. One study found that 81% of users have reused passwords on more than one site, and 25% of users report using the same password for the majority of their accounts.
In 2017, the FTC issued recommendations suggesting specific actions companies should take in response to credential staffing
According to Shuman Ghosemajumder, former head of Google’s click fraud prevention, credential stuffing attacks have a maximum login success rate of 2%, meaning that one million stolen credentials can take over 20,000 accounts.
This is a good example.
It is believed that the best way to protect against credential stuffing is to use unique passwords for accounts, to enable two-factor authentication, and for companies to detect and stop credential stuffing attacks.
Leaking credentials
Credential stuffing attacks are considered the top threat to web and mobile applications due to the sheer volume of credential exfiltration; in 2016 alone, more than 3 billion credentials were compromised through information leakage.
Incident with Credential Staffing
On August 20, 2018, UK health and beauty retailer Superdrug came under attack, with hackers threatening to break into the company’s website and download the records of 20,000 users
These data were likely obtained from hacks and leaks, and were then used as the source of credential stuffing attacks to obtain information to create false evidence,.
In October and November 2016, attackers used employee usernames and passwords compromised in previous breaches to access private GitHub repositories used by developers at Uber (Uber BV and Uber UK).
Multifactor authentication was available, but was not enabled on the affected accounts.
Finds credentials for the company’s AWS datastore in a repository file and uses them to gain access to the records of 32 million non-U.S. users and 3.7 million non-U.S. drivers, as well as other data contained in more than 100 S3 buckets. The attackers sent a threatening letter to Uber, demanding a payment of $100,000 to agree to delete the data.
The company made payments through a bug bounty program, but failed to disclose the incident to affected parties for over a year. After the breach came to light, the company was fined £385,000 (reduced to £308,000) by the UK Information Commissioner
Comments