What Is Credential Stuffing?
By Diego Poza, Senior Developer Advocate Engineer II, Auth0
Credential stuffing attacks are one of the most prevalent cybersecurity threats of 2020. On Auth0's platform alone, nearly half of all login requests we receive daily are attempts at credential stuffing. And the problem is only compounding as more credentials are exposed; at present, literally billions of compromised credentials are circulating on the dark web.
What Are Credential Stuffing Attacks?
Let's say you set M8gu96mB76 as your Netflix password, and then you re-use it (even though you know better) as your password for Amazon, your New York Times subscription, and even your bank account. If a hacker breaks into any one of these systems and gets your password, they could use it to gain access to all the rest.
It's a form of account takeover, and its consequences can range from frustrating inconveniences (as in the Disney+ hack that locked subscribers out of their accounts) to disturbing and nefarious crimes (such as when hackers broke into Ring home cameras to spy on children).
Once hackers gain access to the victim site, they can cause various forms of mischief. Here are three of the most common: selling access to compromised accounts, E-commerce fraud, and corporate/institutional espionage and theft.
While these crimes have serious consequences for companies and their customers, the third form of attack has the potential to be most devastating to businesses. If an attacker successfully hijacks the account of an employee or admin, they can gain access to sensitive internal data, which they can sell to the highest bidder. The compromised data can include databases of usernames and passwords, which can start the whole credential stuffing cycle again.
The Ponemon Institute's Cost of Credential Stuffing report found that businesses lose an average of $4 million per year to credential stuffing. These losses take the form of application downtime, lost customers, and increased IT costs. Large-scale botnet attacks can overwhelm a business' IT infrastructure, with websites experiencing as much as 180 times their typical traffic during an attack. Despite the uptick in reported attacks, it's safe to assume that many businesses do not disclose when their systems are compromised, and their internal data is stolen, so we may never know the full cost.
Increasingly, regulators and the public are holding companies accountable for credential stuffing attacks. Companies may be subject to legal action under data privacy laws such as GDPR if they fail to implement adequate security measures to prevent such attacks, fail to inform the public of a breach, or don't do enough to protect passwords.
Until the world at large evolves past the username-password login standard, hackers will continue to engage in credential stuffing attacks. Given the tools available to guard against credential stuffing, there is no reason why these attacks should continue to wreak havoc on users and businesses. If you'd like to learn how to safeguard your business, attend Jamie Hughes’ session on Credential Stuffing Attacks at Black Hat Europe 2020.