What is Credential Stuffing?

Credential stuffing is a cyberattack where an attacker uses a list of stolen credentials, such as usernames and passwords, to gain unauthorized access to multiple accounts or systems. This type of attack is becoming increasingly common as more and more personal information is being made available online.

Credential stuffing attacks are typically launched using automated tools that can rapidly test large numbers of credentials against a particular system or website. The attacker will typically use a list of stolen credentials, such as those obtained through a previous data breach, to try and gain access to multiple accounts or systems. This can include email accounts, social media accounts, financial accounts, and other types of online services.

Credential Stuffing Attacks on the Rise

The staggering number of 1.8 billion credentials spilled and 193 billion credential stuffing attacks reported in 2020 by F5 labs and Akamai respectively, should send a chill down anyone’s spine. These statistics highlight the growing and alarming frequency of these types of cyber threats. The implication of a data breach or a successful credential stuffing attack can be devastating, from identity theft, financial loss, to damage to a person’s or company’s reputation.

Devastating Consequences of Credential Stuffing:

1. Capital One Data Breach: Exploitation of a Misconfigured Firewall Leads to Compromise of Personal Information of Over 100 Million Individuals and Small Businesses

In a cyberattack that occurred in 2019 on Capital One, the attacker obtained personal information of more than 100 million individuals and small businesses by exploiting a misconfigured firewall. This is an example of hackers obtaining information due data breaches which can lead to credential stuffing that impacts users.

1. Marriott International Cyberattack: Credential Stuffing Leads to Exposure of Personal Information of Up to 500 Million Guests

An example of a major cyberattack that used credential stuffing was the attack on Marriott International in 2018. The attack, which was discovered in November of that year, exposed the personal information of up to 500 million guests. The attacker is believed to have used a list of stolen credentials to gain access to the Marriott system.

1. Sonic Drive-In Data Breach: Credential Stuffing Leads to Exposure of Personal Information of Millions of Customers

In 2019 the fast food chain, Sonic Drive-In, reported a data breach that exposed the personal information of millions of customers. The attacker is believed to have used a list of stolen credentials to gain access to the Sonic systems.

These are just two such attacks that took place due to credential stuffing. The growing number of incidents that are taking place is exponentially high, and it is necessary to understand why and how to mitigate the risk of getting attacked.

1. Credential stuffing attack compromises Netflix user accounts

In 2019, the popular streaming service Netflix was targeted in a high-profile instance of a credential stuffing attack. The attackers used stolen credentials from other data breaches to test on Netflix’s website and were able to gain access to a number of user accounts. Once they gained access, they changed the account’s email and password, locking the legitimate users out of their accounts.

1. Credential stuffing attack on Twitter: High-profile Twitter accounts compromised using stolen credentials

In 2020, there was a significant security incident involving the popular social media platform Twitter. The incident, known as a credential stuffing attack, saw attackers gain unauthorized access to over 130 high-profile Twitter accounts, including those of politicians, celebrities, and companies. The attackers used login credentials that were obtained from previous data breaches to gain access to the accounts. As a result of this attack, Twitter temporarily disabled the affected accounts and launched an investigation to determine the cause and extent of the incident.

Combatting Credential Stuffing Attacks

A measure that companies can do is to implement rate-limiting and IP blocking to prevent automated attempts and to monitor for unusual login activities to detect and prevent credential stuffing attacks.

To protect yourself from credential stuffing attacks, it is important to use unique and strong passwords for each account and service that you use. It is also a good idea to enable two-factor authentication (2FA) wherever possible, as it can provide an additional layer of security for your accounts.

Credential stuffing attacks are becoming more common as more personal information becomes available online. To protect yourself, it is important to enable multi-factor authentication, create strong and unique passwords and be careful about the personal information that you share online.

How Okta + Tecnics Can Help?

Okta with TecMFA can be used by organizations to help prevent these attacks and mitigate risk as much as possible. Okta along with its single sign-on capabilities with TecMFA’s Desktop MFA features, each organization can ensure they protect their employees with the required desktop security and the qualified authorization into their various productivity applications. This also ensures that users will not have to keep multiple passwords for each application, reducing the risk of credential stuffing.