Visible to the public SoS Musings #24 - Credential Stuffing AttacksConflict Detection Enabled

SoS Musings #24

Credential Stuffing Attacks

Credential stuffing is a hacker technique in which usernames and passwords obtained from data breaches faced by companies are used to gain access to accounts on other sites. The performance of credential stuffing relies on the use of automated tools to reduce the time in which a large number of username and password combinations are entered into the login pages of different online platforms. The technique of credential stuffing remains popular among hackers as the majority of users continue to reuse passwords across multiple accounts on different services. According to Akamai's 2019 State of the Internet / Retail Attacks and API Traffic report, there was a significant increase in the launch of credential stuffing attacks in the second half of 2018 with an estimate of 28 billion attempts at performing such attacks. Retail and financial industries continue to be the main targets of credential stuffing attacks. The performance of credential stuffing attacks can result in significant consequences such as the hijacking of personal and business banking accounts, downtime of applications, damage to the reputations of affected businesses, and more. Recent incidents in which consumers and businesses have fallen victim to credential stuffing attacks, highlight the importance of strengthening security against such attacks.

Incidents of credential stuffing attacks that have recently been faced by individuals and organizations bring further attention to the increase in such attacks and the importance of following stronger security practices. Intuit, the financial software company and maker of the popular tax preparation software, TurboTax, recently informed users of the software that they may have been affected by a credential stuffing attack, which allowed an unauthorized party to access data, including Social Security numbers, financial information, addresses, and more, from a previous year's tax return or current tax return in progress. The enterprise technology provider, Critix Systems, required its customers to change their passwords after discovering that a credential stuffing attack was performed against its Sharefile content collaboration service, allowing an unauthorized party to access information stored on customers' Sharefile accounts. Dunkin' Donuts was hit by two credential stuffing attacks in a span of three months. The credential stuffing attacks experienced by Dunkin' Donuts took aim at DD Perks rewards accounts associated with the coffee shop chain's loyalty program in order to sell direct access to these accounts, gather private information, and more. Hackers were also able to speak to and watch those who use Nest home security cameras through the performance of credential stuffing attacks on Nest user accounts. These are just a few incidents of a series of credential stuffing attacks as companies, including Reddit, OkCupid, and Daily Motion have also recently faced such attacks.

Credential stuffing is performed by cybercriminals through the use of breached user credentials and botnets to automatically inject those credentials into login pages. The availability of collections of data gathered from previous massive data breaches faced by companies such as LinkedIn, Dropbox, Yahoo, and more, facilitates the performance of credential stuffing by hackers. Security researchers recently discovered the sharing of a collection of 2.2 billion unique usernames together with their associated passwords among hackers via forums and torrents. Credentials exposed by such mega-dumps can then be tried against multiple online platforms in an automated manner, using tools such as Sentry MBA, Vertex, Apex, and more. Security defense systems and practices must be developed and bolstered against the use of stolen credentials and automated tools to perform credential stuffing attacks.

In addition to increasing research and development surrounding security approaches to combat credential stuffing attacks, individuals and organizations must make an effort to follow and enforce proper security practices. Shape Security, a cybersecurity firm based in California, released an AI (artificial intelligence) system, called Blackfish, to help companies protect themselves against credential stuffing attacks. Blackfish can identify credentials that have been stolen from data breaches, which have not yet been discovered, disclosed, or distributed on the dark web. The system is able to detect when stolen credentials are being used to login to an end user's account and invalidate those credentials. The Digital Identity Guidelines released by the National Institute of Standards and Technology (NIST) has recommended that organizations examine stolen password breach corpuses in order to restrict their users' choice of passwords that have been exposed in previous data breaches. Organizations are encouraged to implement two-factor authentication (2FA) to protect their customers from credential stuffing attacks. 2FA strengthens the security of online user accounts against credential stuffing in that this method requires another factor to verify the identity of users in addition to passwords. Methods of 2FA include SMS 2FA in which a phone number has to be provided by the user, push-based 2FA in which login attempts are validated based on the acknowledgment of a prompt sent to a user's device, and more. Individuals should follow good password hygiene and organizations should enforce stronger password policies in which passwords are changed after a period of time and are not reused. Organizations should also continue monitoring their network traffic and systems for slowdowns, major rises in network inquiries, and more, as they may indicate the performance of credential stuffing attacks. As the performance and sophistication of credential stuffing attacks continue to grow, more advanced tools and approaches to fighting such attacks must be developed.