Credential Stuffing Attack Prevention & Mitigation

By Josh Hogle. April 28, 2020

You know how security experts keep telling you not to use the same password on multiple accounts? Yup, there’s a good reason for that. It’s called credential stuffing. It’s a type of cyberattack that affects the security of millions of people. As bad as that might sound, there are ways to prevent such attacks and mitigate their impact.

Understanding Credential Stuffing

Credential stuffing is one of many types of brute force attacks.  It’s a type of cyberattack that involves massive, automated attempts to log into user accounts with stolen usernames and passwords. Hackers are able to buy billions of login credentials on the dark web, most of which come from corporate data breaches. In some cases, the attacker can glean login hints by scrubbing social media accounts. 

The attacker uses specialized software to “stuff” thousands of username and password pairs into an account login screen, such as the “My Account” page on a banking site. To understand how such an attack can succeed, consider the common but unwise practice of using the same password on more than one Internet account.  Let’s say that your name is John Quincy, and you use the username johnq for your bank login, wireless account login and favorite gaming site. You also then use the same password “pass$w0rd,” on all three accounts.

Then, imagine that the gaming site gets breached and your login credential pair johnq/pass$w0rd gets stolen and placed for sale on a dark website along with a million other comparable login pairs. A hacker could then try the johnq/pass$w0rd login pair on other sites, like banks and wireless carriers. Of course, cybercriminals have no way of knowing which bank you use, but if he or she is persistent enough, there could eventually be a match. And then… the hacker can log into your bank account and drain it.

How Serious of a risk is Credential Stuffing?

Credential stuffing is a serious IT security problem. There is certainly no shortage of stolen credentials. The large-scale data breaches we read about nearly every week are feeding new credentials into the dark web. The website HaveIBeenPwned.com tracks more than 8.5 billion compromised credentials, to give you a sense of the scale of the threat. At the operating level, businesses report a huge amount of fraudulent login attempts. In some cases, over 90% of log in attempts are credential stuffing attacks occurring in real time.

Why It Can Be Hard to Detect An attack

It should be easy to stop credential stuffing attacks, at least in theory. The attackers use automated tools, so their improper log in attempts should be readily identifiable. However, most attackers now use sophisticated tools to mask their activities. For example, a credential stuffing attack can mimic the geographic variety of users trying to log in legitimately. If a bank has customers in a certain region of the US, for instance, the attacker can make it look as if the log ins are coming from all of that region. Additionally, the attack tools can vary the timing intervals between log in attempts. That way, the target of the attack cannot easily spot a recurring, regularly-timed attack. It all looks “normal.”

Preventing Credential Stuffing

Preventive countermeasures are able to stop at least a significant portion of credential stuffing attacks. Rate limiting is one example. With rate limiting, a site can block access to an IP address that tries more than a preset limit of log in attempts in a given period of time, e.g. three per second. Another approach involves screening for stolen credentials—checking each attempted log in against lists of known stolen credentials. If the system detects compromised credentials, it can block access or send a request for further authentication factors like the answer to a security question.

The bulk of anti-credential stuffing controls, though, utilize enhanced user authentication. Simple username/password pairs are no longer adequate for robust security. Relying solely on a single factor of authentication is asking for trouble, even with rate limiting in place. A simple captcha step can help quite a lot, but the best practice is to implement some type of multi-factor authentication (MFA). This could be as simple as two-factor authentication (2FA) or more advanced methods using biometrics.

Adaptive authentication is another approach. In this mode of anti-credential stuffing, the user authentication is passive in nature. This is sometimes called device fingerprinting. The entity trying to block bogus log in attempts looks at the user’s device reputation, physical location and other behaviors that signal whether the authentication is coming from an actual user or a hacker. Again, sophisticated fraudsters can even outsmart these countermeasures. Hackers tend to be lazy, however. The more obstacles you erect in their way, the more likely they are to give up and instead try to invade a different site with fewer security measures deployed.

Mitigating Credential Stuffing Attacks

New solutions now enable security operations (SecOps) teams to mitigate credential stuffing attacks as they occur. If they can identify a source of suspicious log in attempts, for instance, they can block it. This may align with other techniques just described, like IP addresses that violate rate limiting parameters. They can similarly block automated browsers or other known tools of the credential stuffing trade.

To mitigate an attack, however, you have to be set up to detect it and then have the tools for stopping it. Not everyone is operating at this level of readiness. The risks of credential stuffing make a compelling case for getting prepared. The business impact of account takeovers can be significant. At a minimum, being able to detect and prevent the attacks will relieve the SecOps team of a stressful workload. It’s worth making an investment in countermeasures for credential stuffing attacks.

Want to future proof your attack mitigation? Learn how Hysolate makes privileged access workstations a reality without restricting user experience. Start your free trial here.

About the Author

Josh is the SE Team Lead for the Americas at Hysolate and brings over 25 years of experience in the enterprise IT and security space. Prior to joining Hysolate Josh was both a Solutions Architect and SE Manager for Imperva and Trend Micro. Josh began his career in IT as the lead for Desktop Engineering at both Purdue and Rutgers University, where he managed over 50k endpoints. He has a diverse background in IT security, administration and development and holds several certifications including an AWS Solutions Architect certification. He graduated with a BS degree in Computer Science from Purdue University.

Share this article: