What is a credential stuffing attack?
A credential stuffing attack occurs when a threat actor uses stolen credentials (username and password) from one website to gain access to other sites to attempt an account takeover. These attacks often occur long after a data breach, when older stolen credentials have been packaged for sale and traded on the dark web. SpyCloud customers report that only 20% of their losses stem from credential stuffing attacks; the remainder is from targeted ATO attacks.
How do credential stuffing attacks work?
After a data breach, attackers typically keep stolen information contained within their trusted network until they’ve fully monetized the data. The attacker may engage advisors to help them parse the data and crack passwords. At this stage, wealthy or high-profile victims may be identified, and they get creative in targeting them with manual account takeovers versus through automation by using account checker tools to “stuff stolen credentials” into thousands of different website accounts as possible in an attempt to login.
How does credential stuffing differ from a data breach?
Stolen credentials used in credential stuffing attacks are often obtained from data breaches, where attackers gain access to user databases to sell on dark web markets. In credential stuffing attacks, the attacker does not need to breach a website or service; instead they use automated crimeware tools to operationalize lists of stolen credentials to gain access to accounts.
That said, to individual victims, there’s only a semantic difference between a breach and a credential stuffing attack.
Why do attackers use credential stuffing and password spraying?
The human element is the reason both credential stuffing and password spraying are very effective and relatively simple to carry out. People typically use the same login credentials for multiple websites – as verified in the SpyCloud Identity Exposure Report, which found that 74% of people repeat passwords across multiple accounts.
If attackers can reuse stolen credentials from one website, there is a greater chance that the attacker will be able to access other websites that contain valuable information or target particular groups of people in order to steal personal or financial information, commit fraud (such as identity theft), launch DDoS attacks, or spread malware.
What is the percentage of breaches that involve compromised credentials?
Eighty percent of hacking-related breaches involve the use of stolen credentials.
What are examples of a credential stuffing attack?
A few of the most notable credential stuffing attacks include the following:
- In 2020, Zoom, a web conferencing service, had more than 500,000 passwords stolen used to access other websites
- In 2022, LastPass, a password manager used by thousands of users, had stolen passwords used to access other websites.
- In 2023, Dunkin’ Donuts, America’s favorite donut brand, had credentials stolen from over 20,000 Dunkin value-card holder customers.
How to prevent credential stuffing attacks?
Credential stuffing prevention starts with the password itself. Employees and customers often don’t understand the risks of password reuse, so in addition to security awareness training, take proactive measures including:
- Stop the attack at login by automatically checking if the credentials in use have been previously leaked on the dark web
- Force a password reset if the password in use has been stolen or is weak or common
- Automate protection with behind-the-scenes work to halt access if leaked credentials are detected
- Prevent bad password use by staying abreast of common passwords that are easier for criminals to crack by excluding their use upfront
- Follow NIST best practices for password creation rules including:
- Do require a minimum password length of 8 characters.
- Do allow 64+ character passwords.
- Do limit failed login attempts.
- Don’t require password complexity.
- Don’t force arbitrary password changes.
- Don’t use password hints or reminders.
- Don’t use knowledge-based authentication.
How does SpyCloud help prevent credential stuffing attacks?
To prevent credential stuffing, SpyCloud identifies both exact-match exposures of compromised passwords and fuzzy/variation matches that could be easily guessed by a criminal. Integrated directly into your login workflows and popular security tools, SpyCloud’s solutions prevent account takeover and online fraud from both automated attacks like credential stuffing and more costly, damaging targeted attacks that leverage stolen authentication data.