What is Credential Stuffing?

What is Credential Stuffing
Credential stuffing is a cyberattack method that uses previously leaked or illegally obtained credentials to try them out en masse for unauthorized access at other services. The attackers assume that users use their login credentials with the same usernames and passwords at multiple services simultaneously. This attack method is one of the most common cyber attacks on the Internet.

What is Credential Stuffing?

Credential stuffing is a very common attack method on the Internet. Attackers use illegally obtained, leaked or stolen credentials consisting of usernames and passwords via other cyberattacks and try them out on other online services.

The attack method is based on the fact that many users use their credentials with the same usernames and passwords at several services at the same time. Lists with a large number of valid login credentials can be acquired by attackers for this type of cyber attack, for example, on the Darknet.

Bot networks are usually used for access attempts, which makes it difficult for service providers to detect mass login attempts. If the attacker succeeds in gaining unauthorized access to a service or system, he uses it for further criminal activities.

READ:  Set Up Open Source Firewall pfSense

How credential stuffing works

As a data basis for the attack method, the attackers need a list of valid credentials of individual users and services. These lists usually consist of thousands of entries with combinations of usernames or email addresses and passwords. The attackers then define the services and online services where they want to try the credentials.

The list of services and the list of credentials are fed into a botnet, which automatically processes the lists and executes mass access attempts from different individual computers with different IP addresses. The botnet disguises the access attempts and makes it difficult for service providers to detect and defend against unauthorized login attempts.

All successful access attempts are documented and subsequently used by the attackers for further criminal activities.

Differentiation from the brute force attack

Credential stuffing can be clearly distinguished from brute force attacks. In a brute force attack, passwords generated according to certain methods are tried out in combination with a user name until a combination happens to fit. Credential stuffing, on the other hand, tries actual valid combinations of usernames and passwords for access at other services.

Brute force attacks have to try significantly more combinations until an access attempt is successful. Strong passwords reduce the likelihood of success for a brute force attack. For credential stuffing, strong passwords used on multiple services at the same time are not an obstacle.

READ:  What is BYOK (Bring Your Own Key)?

Protective measures against credential stuffing

The most important measure to protect against this attack method is not to use identical credentials on different services. For each access to an online service or to a system, a combination of username and strong password should always be used only once.

The following additional protective measures can prevent credential stuffing:

  • Regularly check to see if credentials have been compromised or stolen (numerous services exist on the web that offers the service of checking published lists).
  • Use of multi-factor authentication
  • Use of an additional CAPTCHA at the login
  • Use of one-time passwords
  • Use of security systems that detect and fend off mass, automated login attempts by botnets