Password Stuffing

Understanding the Economic Impact of Credential Stuffing Attacks

Credential stuffing attacks have become more common, posing severe personal and corporate security risks. This serious form of cyberattack uses sets of stolen or leaked credentials to log in to users’ accounts.  A study revealed that more than 15 billion stolen credentials are spreading on the web. 

Anastasios Arampatzis headshot
Anastasios Arampatzis

A key reason behind credential stuffing attacks is bad password hygiene – people often use weak passwords or reuse them across multiple accounts.  One survey revealed that most users simultaneously reuse the same login credentials for different services. As long as this approach continues, credential stuffing attacks will keep rising.  A report from Akamai indicates that these attacks rose by 49% in 2020, over the previous year.

Episode 212: China’s Stolen Data Economy (And Why We Should Care)

The Costs of Credential Stuffing Attacks

Credential stuffing is a common tactic used to take over a target’s accounts. The attackers use automation tools to input thousands of compromised credentials into different websites at once. Rather than inserting multiple credentials into one site and risking an account lockout, this method works in the opposite direction by spreading a single credential set across multiple destinations.  This increases the chances of success. Once the threat actor takes hold of an account, they start performing fraudulent activities, often unbeknownst to the victim. 

Episode 97: On eve of GDPR frightening lack of data privacy, security in US

In 2020, the online supermarket Bigbasket experienced a data breach incident that impacted its entire customer base. Prior to leaking the data, the attacker posted the 15 Gigabyte database for sale on the dark web. The compromised data included passwords, IP addresses, names, email addresses, contact details, and dates of birth.

The Aberdeen Group conducted a study which attributed the risk of credential stuffing and account takeovers to four main financial industry segments in the USA: credit unions, commercial banks, fintech companies, and savings institutions.  However, the financial sector is not the only business category that is used for credential stuffing attacks. During the first week of January, 2022, the Office of the Attorney General of New York issued a warning to 17 companies after leading an investigation of 1.1 million compromised accounts. The compromised credentials were used in credential stuffing attacks against various popular online retail, food, and delivery businesses. 

It is not the first time that a credential stuffing attack cost a significant loss to a business sector.  The Akamai report also revealed that 193 billion credential stuffing attacks were reported globally. Out of these, 3.4 billion hit the financial services organizations. In addition, approximately 6.3 billion web application attacks also occurred in 2020, with the majority targeting financial services. 

As data privacy regulations are enforced, companies are subjected to legal action under these laws if they fail to deploy adequate data security practices. The public, and the regulators are now holding companies responsible for credential stuffing attacks. The companies are penalized, which, in some cases, costs them millions of dollars.

Episode 206: What Might A Federal Data Privacy Law Mean In the US?

Because of the highly interconnected business landscape and complex supply chains, businesses that were not the initial target of a credential stuffing attack may become indirect victims due to someone else’s breach. Besides this, there is also brand damage. The data breach incidents make the headlines that put an organization’s reputation at stake and compel users not to trust them again with their data. 

Fortunately, there are ways by which you can mitigate the damage made by credential stuffing attacks. 

Tips to Prevent Credential Stuffing Attacks

The rise in credential stuffing attacks has urged businesses to implement a data security plan. Moreover, companies can defend against credential stuffing attacks with the right tools and practices.  Some common measures that can help in preventing these attacks:

  • Multi-factor authentication can be an effective practice to thwart a credential stuffing attack. However, keep the following in mind from Salt Security: “Note that attackers can and will also target MFA mechanisms, and organizations must also protect any MFA mechanisms from brute force attacks.”
  • Businesses can avoid these attacks by implementing behavior analytics via establishing baselines of typical user behavior and traffic patterns. 
  • Password managers should be used at the corporate, as well as individual level.  Using a strong, unique password for each online account eliminates the password reuse problem.  This guarantees that a breach will only affect the account where the breach occurred, and not multiple online accounts.
  • A web application firewall (WAF) also plays a crucial role in detecting abnormal login attempts and bots. Besides this, a WAF is designed to boost security, creating an added security advantage.
  • Limiting the number of failed authentications is another excellent way to prevent credential stuffing attacks. You can restrict the failed requests by IP address, devices, or locations.

Final Thoughts

Credential stuffing is a threat to businesses, causing significant financial loss and affecting customer experience. Millions of users and their data are compromised every year due to credential stuffing attacks. But companies can reduce the rising risks of these attacks to their business and customers by implementing a comprehensive data security program with the appropriate practices and tools to fight against this cybercrime.