Over the past few months, Cooley’s incident response team has seen an increase in “Credential Stuffing” attacks. Credential Stuffing is an account takeover attack in which actors obtain user names and passwords available on the dark web from prior data breaches, and then attempt to login to various online accounts using the credentials. This type of attack differs from a credential cracking or brute force attack, which involves attempting multiple passwords for a single account until successful. Here attackers use scripts or other automated means to run stolen credentials against their targeted online accounts. Inevitably some of the stolen usernames and passwords still work. In this post, we discuss the nature of these attacks, the recent increase in the frequency of these attacks and how best to respond to them and mitigate business impact.
Akami’s new 2019 State of the Internet / Security Report, identifies 28 billion credential stuffing attacks between May and December of 2018, which equates to more than 115 million login attempts per day. In recent months, companies including Dunkin Donuts, Dailymotion, Nest, Reddit, and AdGuard have all reported this type of credential stuffing incident. These attacks exploit the common, but unsecure, practice of users utilizing the same or similar passwords across multiple online accounts. In a study performed last year, analysts from Virginia Tech University and Dashlane reviewed approximately 61 million passwords from over 28 million users and found that approximately 52% of users used identical or very similar passwords across multiple accounts. According to the study, people continue to use the same passwords even after they have been leaked in previously reported breaches; more than 70% of users were using the compromised passwords up to a year after exposure, and approximately 40% of these passwords were in use over three years after compromised.
This type of attack presents an increasing threat as more and more user credentials are being compromised and made available. In January of 2019, Troy Hunt, the founder of Have I Been Pwned, reported on the discovery of Collection #1, a trove of 1,160,253,228 unique combinations of email addresses and passwords available for sale on the black market. Since that time, Collections #2–5 have surfaced. Based on reports, these additional collections contain approximately 845 gigabytes of stolen data and 25 billion records.
A key challenge for businesses trying to prevent, detect and respond to this type of attack is the difficulty in differentiating between illegitimate logins and activity and legitimate user activity. Unlike brute force attacks, a credential stuffing attack typically does not involve numerous login attempts for the same user accounts, making account lockout policies or thresholds less effective. Although rate-limiting protections can be effective, these protections are often bypassed through specific tools designed to make credential stuffing attacks look more like normal user activity. These tools may incorporate proxy lists, which make the traffic appear to originate from various IP addresses or manipulate agent string information so login attempts appear to be sent from various browsers. Furthermore, even though certain protections may be available, companies are often reticent to put rigorous credential stuffing protective measures in place for fear that they may make it more difficult for users to use their services and diminish the legitimate user experience.
Once the actors have successfully gained access to an account, they seek to abuse and monetize their access. This may include purchasing and then reselling retail goods; harvesting and selling personal information contained in the account; compromising and monetizing financial resources available within the account (e.g. account or gift card balances); leveraging discounts, promotions or status levels associated with compromised accounts; or incorporating information from accounts into future attacks, including targeted phishing campaigns and business e-mail compromise attempts.
Unfortunately, these attacks impose significant costs on victimized businesses. These costs come in many forms, including fraud-related financial losses, potential application or website downtime, costs to investigate and remediate compromised accounts, reduced customer satisfaction, and reputational harm to the business. The most direct cost relates to financial fraud perpetrated using information from compromised user accounts. According to a study conducted by the Ponemon Institute, the estimated annual cost of financial fraud due to credential stuffing attacks can range from $500,000 to $54,000,000, depending upon the success rate of compromising user accounts. However, the same study showed that even the indirect costs of credential stuffing attacks can be significant, with the estimated annualized costs exceeding $6 million.
Preventing, detecting and responding to credential stuffing attacks can be both challenging and expensive. While various technological options are available, including certain commercial products (such as those offered by Experian or Akami) designed to identify and prevent these attacks, most organizations will rely on a combination of internal and external controls designed to limit their success. Examples include implementing multi-factor authentication, adding bot detection and prevention technologies, such as CAPTCHA or reCAPTCHA, or a multi-step login process.
Organizations must also consider the legal implications of these attacks. While the use of previously breached credentials on another organization’s site may not constitute a “data breach” under relevant breach notification laws, the unauthorized access or acquisition of personal information (e.g., a user’s Social Security number or financial account information) in an account compromised by credential stuffing could impose notification obligations on companies.
Beyond the efforts to prevent these credential stuffing attacks, organizations should develop a plan in advance for responding to these credential stuffing incidents, including:
- Assessing what information is accessible from within the account, including personal information;
- Implementing fraud detection controls with respect to financial transactions that can be performed from user accounts;
- Investigating whether it is feasible and practical to limit the information accessible from within a user account page (including taking steps to mask or redact sensitive information and/or require further validation and authentication before displaying more sensitive personal information in the account); and
- Developing specific “credential stuffing” playbooks and procedures to augment existing incident response planning documents, which may include a process flow for assessing applicable legal obligations relating to these incidents, a formalized process for account validation and resetting user credentials, and pre-prepared user communication templates or documents.
Until society moves away from the password to authenticate user access to online accounts, or users engage in better password management, these types of attacks will become more common. Proactively addressing the risk can help mitigate significant business impacts.