How Credential Stuffing Can Derail Your Business and What to Do About It

What Is Credential Stuffing?

In a credential stuffing attack, fraudsters use automated tools (i.e. bots) to break into user accounts. The bots inject stolen credentials, generally usernames and passwords, into login forms to gain access and assume control of victim accounts. To overcome failures, attackers may insert multiple variations of the credentials, adding a brute-force element to the attack.

The attackers typically collect the stolen credentials from data breaches, password dumps, phishing attacks, or via the dark web. People tend to reuse usernames and passwords across sites, so trying to login through the target site with a leaked password used on another site often works.

The perpetrators generally target a wide variety of websites and apps such as social media platforms, ecommerce sites, banking websites, email platforms, and other services. A successful attack can uncover hundreds or even thousands of valid login credentials. When that occurs, the fraudsters have a multitude of options for each working credential set. Depending on the type of site compromised, possibilities include:

• Draining the account of stored funds
• Making unauthorized purchases 
• Harvesting personally identifiable information (PII) to use in financial fraud
• Using the account to send spam, scams, or phishing emails
• Selling the working credentials to other criminals

What Is the Current State of Credential Stuffing?

Credential stuffing attacks are on the rise, with billions of stolen credentials now available to attackers. As part of a public awareness campaign, the New York Attorney General issued a bulletin on January 5, 2022 to raise public awareness about the threat. According to the bulletin, an investigation recently discovered 17 well-known companies that experienced significant credential stuffing attacks. Many of the firms were unaware that their customers' passwords had been compromised. “Right now,” the bulletin reads, “there are more than 15 billion stolen credentials being circulated across the internet.” 

Here are some other recent examples of significant credential stuffing attacks:

• In February 2021, Dark Reading covered an attack targeting a popular music streaming platform. Those responsible for the attack used a database containing over 100,000 account details that were likely leaked from somewhere else. The attackers attempted to log into the music platform’s accounts using those details.
• Eight months later, Threatpost reported on a security incident involving an all-digital wireless carrier. After customers of the service took to social media to reveal that they had lost access to their accounts and in some cases received bills for new iPhones, the carrier weighed in on what happened. The entity said that it had not suffered a data breach. But it did describe a credential stuffing attack, explaining how “threat actors were able to access username/passwords from outside sources, and exploit that information to login to … accounts.”

The security community is seeing a rise of credential stuffing attacks like those described above for several reasons. First, many organizations continue to use single-factor authentication (SFA) to protect their authorized accounts. This enables malicious actors to gain access to and misuse an account if they obtain the corresponding credential set from a data breach or other source, without requiring a second form of verification like clicking an email link or getting an SMS code.

Second, many users reuse the same passwords for multiple accounts, which raises the likelihood of a credential stuffing attack succeeding across multiple web services. This sort of password reuse occurs even though users typically know of the risks. A majority (92%) of respondents to a survey covered by Help Net Security in September 2021 said that they knew that password reuse was a risk. But approximately two-thirds of survey participants admitted that they had reused their credentials anyway.

Third, malicious actors are using a variety of tools to help them to evade detection. This applies to credential stuffing as well. Information Security Buzz reported that malicious actors are specifically using tools to help them determine which passwords belong to which sites. Through these types of utilities, attackers can improve their chances of flying under the radar by limiting the number of authentication attempts against a web service.

How Can Organizations Defend Against Credential Stuffing?

From a fraudster’s point of view, the success of a credential stuffing attack depends on a number of factors. Avoiding detection is of course paramount. More sophisticated defensive solutions like hCaptcha Enterprise thus focus on detecting and challenging suspicious activity as quickly as possible, often on the first request.

Speed is also critical to bad actors. Depending on password length, encryption, and other security measures, it takes anywhere from a few seconds to multiple years to “crack” a credential set. Unless a fraudster can quickly complete an attack, the odds of success are simply too low, and the probability of detection is too high. An active challenge solution like a CAPTCHA can thus greatly increase the cost of an attack, making it less attractive to attack. Bad actors tend to stay away from sites with technology that slows them down, and attack sites without such tools.

So what steps can an organization take to detect and stop credential stuffing attacks at the outset? Likewise, what can companies implement beforehand that will slow down attacks that do get started?

Here are some key solutions that will help: 

• Leverage a fraud detection and prevention platform. These solutions use technologies like behavior analytics, machine learning, and other tools to distinguish the difference between a real human and a bot. The latest and most advanced generation of these tools like hCaptcha Enterprise have proven very effective in detecting credential stuffing attacks.  
• Implement multi-factor authentication. The length of a password doesn’t mean anything if malicious actors gain access to it from a data breach or another source. To protect against this possibility, organizations can implement a multi-factor authentication (MFA) scheme that requires users to submit another factor of authentication such as a fingerprint or a verification code generated in a mobile app. These security controls can help to prevent malicious actors from compromising an account even if they’ve succeeded in obtaining the corresponding login name and fixed password.
• Use passwordless authentication. Credential stuffing hinges on users needing a username and password to authenticate themselves. But if they don’t need to use a password, malicious actors will find it more difficult to automate authentication. This is what’s known as “passwordless authentication,” a security approach that verifies users purely based upon authentication factors other than passwords. It is still open to spoofing and other attacks, however, and must be combined with a fraud detection and prevention platform to detect more sophisticated threat actors.
• Implement user behavior analytics. It’s not always possible for organizations to prevent a credential stuffing attack from occurring. They also need the ability to detect a credential stuffing attack that’s in progress. That’s where user behavior analytics comes in. Teams can use these types of solutions to spot suspicious activity across an organization’s accounts that could be indicative of an account takeover following a credential stuffing attack. Modern platforms like hCaptcha Enterprise can also directly alert teams to suspicious trends and start remediating attacks in real-time.

How Can hCaptcha Help to Defend Against Credential Stuffing?

hCaptcha is a fraud and bot mitigation platform, specifically designed to stop automated attacks like credential stuffing, account takeovers, web scraping, and many more kinds of abuse.

hCaptcha’s advanced machine learning capabilities instantly analyze visitor behavior to accurately and seamlessly deduce whether the visitor is a bad actor or a legitimate human user. Unlike other solutions, hCaptcha has always started from a privacy-first perspective, and its data-minimizing design delivers high security without compromising user privacy, processing requests close to the user and maintaining compliance with evolving privacy laws around the world while providing minimal friction to the user.

Click here to learn more about hCaptcha’s advanced accuracy and machine learning technologies, unique compliance with GDPR and other privacy laws, enterprise scalability, and other features.

‍