Billions of stolen usernames and passwords are circulating on the dark web. According to the Verizon 2020 Data Breach Investigations Report, 80% of hacking breaches in 2019 were caused by stolen or brute-forced credentials. But the stolen credentials, used in credential stuffing attacks, are often far more dangerous.
So what is credential stuffing, and how could it affect you? Most importantly, how can you stop it?
What is credential stuffing?
Credential stuffing attacks cram different combinations of the usernames and passwords found in credential dumps into login pages until an account unlocks. They are an increasingly common cyber attack—mostly because users often reuse their usernames and passwords. If a user's login information is stolen from one place, it will probably work somewhere else.
Credential stuffing attacks are thought to be more effective than brute-force attacks because they are not a total guessing game—they leverage existing username and password information. They are also harder to detect, and they are not easily thwarted by routine security protections, such as a cap on failed attempts from a single computer.
There are so many stolen credentials circulating online nowadays that their price is down nearly to zero. Attackers can acquire these lists for cheap and feed the information to bots and have them crack open accounts on target sites. Success rates are low—Shape Security estimates success rates between 0.2% to 2%—but the costs are so modest that the rewards can still provide a significant return on the investment.
Like many cyber security problems, credential stuffing is a constant cat-and-mouse game. When website operators limited the number of login attempts from one IP address, attackers responded by feeding bots spoofed addresses. Secondary authentication methods like CAPTCHA codes were effective, but only for a short time. As seen in the 2021 Data Breach Investigations Report, 23% of the organizations monitored had security events related to credential stuffing or brute force attacks, with 95% of them getting anywhere from 637 to 3.3 billion attempts against them.