Blog

Understanding Credential Stuffing Attacks

September 19, 2024 | 5 MIN READ

by Jason Kent

A stylized image of diagonal lines with asterisks inside going from left to right on the screen.

The firehose of security incidents – data breaches, ransomware, and supply chain attacks – often obscures the methods that attackers use to create these incidents. One of the most common is credential stuffing, which is a type of authentication-related attack that leads to account takeovers (ATO) and ultimately theft or fraud.

So, what is credential stuffing? Simplistically, it’s when attackers use credentials obtained from previous attacks to try and log into websites, counting on the fact that people often re-use their passwords on multiple sites or applications. In truth, credential stuffing is one of several common types of authentication-related attacks that also includes brute force and password spraying. The Open Worldwide Application Security Project (OWASP) does a great job of explaining these attacks, but a brief summary follows.

Credential Stuffing

Credential stuffing relies on the fact that people are creatures of habit, and all too often re-use their passwords for multiple web sites and applications. The bad guys know from experience that taking known-good credentials from one website and applying them to another yields reasonable success rates. Credential stuffing is one of the most common methods for performing account takeover (ATO).

Brute Force

As the name implies, brute force is when attackers try many passwords against a single account, hoping to “guess” the right one. Often, the attackers are working from a gigantic list of passwords from a successful phishing campaign or other data breach, commonly-used passwords, or even randomly created values. Automated bots are used to perform these attempts at high speed, as millions of combinations are attempted.

Password Spraying

Password spraying is a different sort of brute force attack in which the attacker repeatedly attempts to use a single password against many accounts. You’ve probably encountered web sites where you are locked out of your account if you mistype your password more than 3 or 4 times in a short period of time. This automated attack recognizes this situation, and only tries the password once, but does so against as many accounts as possible to see where they can get in. Often, common or default passwords are used.

What Happens When Credential Stuffing Succeeds?

Successful attackers can take several different paths. If they’re going to use the account themselves, such as to drain it of stored value or make fraudulent purchases, they will typically change the password to maintain control of the account. Perhaps the account has stored credit cards or other useful associated data. They can use the account as a pedigreed source from which to launch phishing messages or spam. And of course, at the end of the day, these accounts can simply be sold to the highest bidder.

Time is of the Essence

When obtained as part of a dump of stolen data, the credentials need to be validated to establish their value. However, if the credentials are from a known compromise, the impacted organization will typically force a password reset, and the impacted users would be notified, and forced to reset their password. Since the attackers need to gain control of the accounts quickly, they often use login and mobile APIs, which are much faster and easier to automate than using the application user interface.

Why are APIs Frequently Targeted for Credential Stuffing?

Attackers seek out APIs for credential stuffing attacks for several reasons. Applications are still targets for these types of attacks, but there are countermeasures available such as CAPTCHAs which are successful at preventing most credential stuffing attacks (even if they add customer friction and frustration). However, APIs don’t support JavaScript integration for countermeasures such as CAPTCHAs. Additionally, APIs are designed for automation and speed, making them a prime target for attacks like credential stuffing.

Why Aren’t Existing Solutions Preventing Credential Stuffing Attacks?

Most traditional credential stuffing countermeasures either rely on blocking IP addresses the attacks originate from or rely on CAPTCHAs or other methods that introduce customer friction. Attackers are now using large pools of IP addresses to launch attacks from, including residential IP addresses through residential proxies. For most businesses, blocking these IPs or IP ranges is untenable as it would directly affect legitimate business and frustrate customers. CAPTCHAs introduce customer friction and don’t work with APIs. A more intelligent solution that works for applications and APIs is needed.

The Cequence Approach

Rather than rely on IP-based blocking, friction-inducing CAPTCHAs or other inline JavaScript, or mobile SDKs that have to be integrated into the app and retested, Cequence uses Threat and Entity Behavior Analytics to identify and track automated attacks such as credential stuffing. IP address is a factor, but Cequence combines that information with intelligence about the attacker’s infrastructure (e.g. bulletproof or residential proxies), tools, and credentials to accurately identify attacks without affecting legitimate customer traffic. Once the attackers are identified, Cequence provides several options for mitigation including logging, tagging, rate limiting, deception, and blocking.

Read a case study to learn how Cequence blocked over 500,000 account takeover attempts as a result of credential stuffing and saved over $1.6 million in potential account losses at a large, national pizza chain. If you’re ready to learn how Cequence can help your business, reach out and schedule a call with us.

Jason Kent

Author

Jason Kent

Hacker in Residence

Jason Kent is Cequence's Hacker-in-Residence with over 20 years of experience securing client behavior, wireless networks, web applications, APIs, and cloud systems. At Cequence, Jason focuses on defending against automated attacks on web applications and APIs.

Related Articles