Every year thousands of data breaches occur, as we can read in the daily news. The root causes of the breaches range from organizational issues to technical flaws. A new category of attacks emerged a few years ago: ‘credential stuffing’. According to F5, ‘credential stuffing and brute force attacks have been the biggest threats for financial services recently, and the trend shows no sign of slowing’. According to Akamai, ‘hackers have targeted the gaming industry by carrying out 12 billion credential stuffing attacks against gaming websites within the 17-month period analyzed’. Nowadays credential stuffing attacks are considered among the top digital threats. But what exactly is credential stuffing?
Credential stuffing explained
Credential stuffing is based on the premises that people use the same — or a very similar — password for different services, and that data breaches occur. Both seem to be true:
- A 2019 survey by Google identified that 65 percent of people use the same password for multiple or all accounts.
- A 2019 summary by CNET shows that hundreds of millions of user details are leaked in data breaches in 2019 alone.
The combination of these two facts make credential stuffing work. To perform a successful attack, cybercriminals follow four steps:
- Collect leaked data of hacked websites and applications.
- Extract account information and crack account passwords.
- Try to logon with the leaked and cracked account information on other services. Optionally also use easy-to-guess variants of the password.
- Successful login? Account takeover and abuse.
Contrary to general perception, the four steps are easy to perform. Collecting leaked data of breached websites and applications can be as easy as clicking a download link in a web browser, or registering at an online hacker forum and pay for a password dump by credit card. In many cases, extraction of usernames and passwords can be performed using basic system utilities or your favorite spreadsheet software. Cracking can be very effective using a fast graphics card, as available in any proper gaming PC (displaying 3D graphics and cracking passwords have great similarities). Finally, software to check the credentials on different websites in an automated way can be created using free web automation tools like cURL, Selenium and PhantomJS.
High profile cases of data breaches that included password data and were used in credential stuffing attacks include LinkedIn (2012, over 110 million accounts), Adult FriendFinder (2016, nearly 110 million accounts), MyHeritage (2017, over 90 million accounts), Dubsmash (2018, over 160 million accounts) and WattPad (2020, over 190 million accounts). And things can get even worse. On several occasions cybercriminals sold or published their compilation of breach data, in many cases including plain text cracked passwords. The biggest one so far is called ‘Collection #1’ and contains 2.7 billion email / passwords pairs.
Cyber criminals are mostly motivated by monetary gain. The direct losses of account takeover of for example a bank account is evident. Direct losses are not the only thing that can hurt businesses. Successful account takeover attacks can cause damage to a brand’s reputation, undermine customer confidence and compromised accounts can be used as a stepping stone for further hacking activities and ransomware attacks. Last but not least: data leaks can result in major fines — based on the European Union’s General Data Protection Regulation — up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year.
Advanced password policies are not a silver bullet
You might think that having an advanced password policy might protect you against successful credential stuffing attacks. Unfortunately this is not the case. Attackers can for example take over accounts even if a complex eight position password is required, rate limiting is implemented and the account locks out after a limited number of unsuccessful attempts. How? The issue is that you do not know how third parties protect their passwords, including the passwords of you and your staff’s accounts. Even in 2020, some companies store passwords without any form of protection, in plain text. As a result attackers can instantly recover all passwords, including complex passwords that flawlessly comply with your advanced password policy. If you or your staff re-use (variants of) those leaked passwords, you are vulnerable. Besides plain text storage of passwords, in many cases the passwords are secured using outdated algorithms like plain MD5 or SHA-1. Using a standard gaming PC, it is possible to guess billions of passwords per second for those algorithms. This also allows attackers to recover complex passwords. Finally, many people use similar passwords over time, replacing for example a 1 with a 2, 3, 4 etc. So even if passwords need to be changed frequently, the future passwords might be predictable. Old data breaches still might be useful here, to help an attacker to look into the future.
With the found username and recovered password, an attacker needs a single guess per account, or just a few if variants are included. This low guess count per account combined with the high percentage of password re-use and the law of large numbers typically results in success for the attacker, despite advanced defenses.
To conclude, having an advanced password policy is always a good idea but this will not stop all credential stuffing attacks from being successful.
Multi Factor Authentication is not a silver bullet
So what about Multi Factor Authentication (‘MFA’)? Let us assume that all internal and external applications of your organization are using MFA. This fixes the issue for applications that are under your control. However, you and your staff are most probably also using external third party services for your professional activities, like file sharing platforms, conferencing tools, chat applications and supplier portals. High chances that those platforms are not all using MFA and contain non-public company information, personal identifiable information (‘PII’) or client data. Eventhough a leak might not originate from your application, it is still your (client) data that is leaked. Sensation-hungry newspapers and your company or clients do not care what the path of the leak was: you cannot outsource accountability. In the end the goal is information security, not on-premise account security. Information security is only fully effective if all paths to your valuable information are protected with MFA. A goal that is almost impossible to achieve with the high number of external services most organizations are using nowadays.
In conclusion, having MFA in place is always a good idea, but remember that you are not safe against credential stuffing attacks until the moment that all the third party services that you are using and contain valuable information are protected using MFA.
The perfect example is the 2016 Uber breach, exposing PII of 50 million Uber customers and 7 million Uber drivers. Using credential stuffing, hackers gained unauthorized access to a private GitHub (third party service) source code repository used by Uber software engineers, and used credentials from that repository to access Uber’s data storage instances on Amazon Web Services (third party service). MFA on all internal Uber applications would not have stopped this attack.
At Scattered Secrets, we offer effective account takeover prevention. Unlike competition, we do not limit ourselves to uncheckable claims like having the very best world-class analysts, out of this world artificial intelligence or next level machine learning. Instead, we follow the process of the bad guys to level the playing field. So we also collect data breaches, we also extract account information and we also crack the corresponding passwords. The big difference is: we provide the information to the verified account owners, so they can use it to adequately protect themselves against credential stuffing attacks. We do have some advantages over the bad guys. Scattered Secrets cracks password on an industrial scale and uses advanced in-house developed hardware that is out of reach for most attackers, your internal security team and our competition. How to check that we have the best data? Just create a free community account for your email address and check what data was leaked and cracked. Interested in the exposure of your organization? Please contact us and do the same for other account takeover solutions. We will provide you with the metadata of directly actionable information (number of recovered email / password pairs). Then just match our results with the competition’s data and you will know that we are verifiable best in class in providing high quality account takeover prevention!
Using our resources and knowledge we create an intelligence feed that allows you to:
- Pro-actively block the use of known bad email / password combinations at account creation and password changes.
- Pro-actively protect existing accounts when new email / password combinations were found that are used by your staff and customers. We monitor everything for you and raise a red flag only when information that can actually be misused has been acquired.
- Create password blacklists to prevent the use of (variations of) found passwords for other than the leaked accounts and prevent the use of passwords that are predictable based on leaked data (‘Summer2020’ → ‘Winter2020’, ‘Password10!’ → ‘Password11!’ etc.).
These mechanisms can be applied to both your internal accounts (e.g. Active Directory) and your client portals (e.g. webshops, customer profiles).
Our data, especially when combined with an adequate password policy and MFA, makes sure that the grass is greener on the other side. At the end of the day credential stuffing also needs a business case for the cybercriminals. If you are well prepared, their effort will not pay back and they will visit your neighbor or competitor. As a result your risks will be drastically reduced. So do not wait until it is too late: use Scattered Secrets to stop successful credential stuffing!
Here you can find the original article on the website of Scatterd Secrets