The State of Credential Stuffing Attacks in 2021

November 24, 2021 • Rehack Team


In the words of Wikipedia, a credential stuffing attack is “a type of cyberattack in which stolen account credentials, typically consisting of lists of usernames and/or email addresses and the corresponding passwords, are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.”

Overview of Credential Stuffing Attacks

Often credential stuffing attacks will leverage brute-force tactics, notes CSO. The bad actors propagating these attacks repeatedly and systematically submit different credentials using automation to try to access systems or data, just like brute-force attackers. The difference is that they specifically leverage usernames and passwords they’ve obtained in a phishing attack, dark web purchase, or other password dump site to run the attack.

Once these hackers have successfully authenticated themselves on a victim’s account, they can do all sorts of things. The Open Web Application Security Project (OWASP) Foundation explains that attackers can use a compromised account to make purchases or to steal sensitive information, for instance. They can also send phishing messages or spam attempts to the account’s contacts to try to broaden their pool of victims.

The Pervasiveness of Credential Stuffing Attacks

According to THINK Digital Partners, credential stuffing accounted for 16.5% of attempted login traffic on an authorization and authentication platform in the first three months of 2021. This activity peaked to around 40% of traffic near the end of March. From an industry perspective, travel & leisure as well as retail were the most commonly targeted.

One of the reasons credential stuffing is so prolific is that malicious actors have a strong financial incentive to perform these attacks. Attackers can use compromised credentials to conduct identity theft and perform credit card fraud for their own gain, after all. But they can also monetize those details on dark web marketplaces and hacking forums. ZDNet pointed out that digital criminals are willing to buy hacked credentials and use them for their own malicious activity. Attackers who don’t personally want to use stolen usernames and passwords always have the option of selling that data to someone who does have a use for them.

Simultaneously, the problem of password reuse makes it easy for attackers to obtain passwords and use them to target different organizations. A 2019 survey covered by Infosecurity Magazine found that 65% of people reused the same password for multiple if not all their web accounts, for instance. Nearly half (45%) of those survey participants admitted that they didn’t consider password reuse to be a serious risk. That wasn’t the case for a majority of respondents in another study reported on by Threatpost, however. Nine in 10 participants said that they understood password reuse to be a risk. Even so, two-thirds of individuals said that they “always” or “mostly” use the same password or a variation of it.

These findings help to explain why incidents involving compromised credentials are so commonplace…and expensive. In its Data Breach Investigations Report (DBIR) 2020, as an example, Verizon Enterprise wrote that 80% of the hacking-related breaches analyzed by its researchers had either involved brute force or the use of lost or stolen credentials. It was about a year later when Globe Newswire shared another report’s findings where the average cost required to contain a single phishing-based credential compromise had increased from $381,920 to $692,531 over the span of just five years. That’s a hefty price tag considering the reality that organizations experience an average of 5.3 phishing-based credential compromises each year.

How to Defend Against Credential Stuffing Attacks

Organizations can defend themselves against credential stuffing attacks by first focusing on their authentication mechanisms. Organizations need to make sure that employees are using passwords of sufficient strength, complexity, and uniqueness for their accounts. However, organizations must not rely on passwords alone to secure their employees’ accounts. They’re too easily compromised. To better defend against credential stuffing attacks,  organizations can apply additional security controls such as these techniques recommended by Salt Security: implementing behavioral analytics, avoiding use of email addresses as user IDs, and multi-factor authentication (MFA).

Organizations also need to take a proactive approach against credential stuffing as a tactic specifically. Pupuweb recommends that organizations monitor data breaches and password dumps for their own corporate credentials. If they spot anything involving their domain, they might want to consider implementing a password reset for all employees, contractors, and partners. They should also think about using geofences to block traffic that could be coming from areas where they know they don’t have any employees who would be attempting to log in.

Finally, organizations need a way to spot a credential stuffing attack that’s succeeded. They can do this by implementing a behavioral analytics tool in their environments. Such a solution can help them to spot anomalous behavior on their authorized accounts including attempts to exfiltrate information outside of the corporate network. In those types of scenarios, the tool can issue an anomaly alert, at which point in time the security team can lock down the account and terminate an attacker’s access to it.

About the Author: David Bisson is an information security writer and security junkie. He’s a contributing editor to IBM’s Security Intelligence and Tripwire’s The State of Security Blog, and he’s a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.