Citrix. Dunkin Donuts. Reddit. AdGuard. Nest. TurboTax. These are just a few of the major brands that have been compromised in credential stuffing attacks in the past few months. These attacks show no signs of slowing down, according to Akamai’s 2019 State of the Internet/Security Report, which identified 28 billion credential stuffing attacks from May 2018 through December 2018. That translates to 115 million login attempts per day.
Credential stuffing is an attack technique in which hackers take usernames and passwords obtained from a previous data breach and attempt to use those credentials to log into an organization’s systems or applications. This is different from a brute force attack, which involves repeated login attempts on the same account. Credential stuffing involves a high number of accounts across multiple systems, often during a much longer period of time.
Mechanisms that “lock” a user’s account after a certain number of login attempts don’t protect against credential stuffing attacks. In addition, hackers have even developed tools that create the illusion that login attempts are coming from various browsers, making credential stuffing difficult to detect and prevent.
Credential stuffing is a growing problem because people continue to reuse the same credentials across multiple accounts despite the warnings of security professionals and their own IT departments. In fact, research from Virginia Tech and Dashlane found that more than half of users use identical or nearly identical passwords on multiple accounts. More than seven in 10 don’t even bother to change their passwords for at least a year after those passwords have been compromised.
Once exposed, credentials are typically sold in bulk on the dark web. For example, researchers recently found a collection of more than 2.2 billion unique combinations of email addresses and passwords on the dark web – and these were available for free.
Although there is no magic button that can be pushed to stop credential stuffing attacks, there are steps you can take to reduce the risk. First, address sloppy password practices directly. Implement tools that require the use of strong passwords that are regularly updated with completely different passwords. This is particularly critical with “privileged” accounts that provide administrator-level access to systems.
Create a policy that provides specific criteria for what is considered a strong password. Additionally, implement a mandatory training program to help users understand how easy it is to compromise an account, how hackers steal, acquire and reuse credentials, and the consequences of using weak passwords across multiple accounts.
After you have dealt with the password problem, take steps to control access to your data. Make sure you understand what users have access to and consider tightening your access controls for sensitive data. Use fraud detection tools to spot unusual activity, and account for credential stuffing in your incident response plan by implementing a process for resetting credentials.
Through our managed service program, ICG will help you maintain a clean active user list. We can also help you implement multifactor authentication to better protect your user accounts. In addition, ICG provides dark web scanning as an optional add-on to our managed services program, so you can learn if your employees’ credentials have been compromised.
Credential stuffing attacks can be stopped by following best practices, implementing the right technology and educating users. Let ICG help you develop and enforce the tools and policies necessary to reduce the risk of these attacks.