LIVE WEBINAR: Better Business With Smooth and Secure Onboarding Processes
Register Now!

What Is a Credential Stuffing Attack?

Robert MacDonald

With so many login attacks out there, it’s hard to keep track of them all, but credential stuffing is on the rise and is important to be able to recognize.

What is credential stuffing? Credential stuffing is a type of cyberattack that uses stolen usernames and passwords, AKA credentials, and enters them into many, many login forms in an attempt to gain access to these accounts.

How Are Passwords Compromised?

Passwords are by far the most common form of authentication; as such, they are often the most vulnerable form of authentication credential. This is because, like all other forms of data, passwords have to be stored and protected in various ways… and anytime you store information, there are often several ways that information may be compromised. 

For the most part, login credentials can be compromised through a few basic methods:

  • Database Breach: Platforms often store passwords in databases, against which they compare login credentials to authenticate users. For the most part, intelligent and security-focused enterprises encrypt databases, using hashes to obfuscate passwords. However, many old and unprepared databases may still use cleartext storage. 

In either case, if a hacker steals passwords from a database they can read, they can link the username and password to each other. Additionally, since usernames are often emails, the hacker has access to the user’s email address. 

  • Social Engineering: One of the most common forms of hacking, social engineering involves gaining access to information or system resources through social interactions–typically, emails or other messages that pose as legitimate business communications.

    Suppose an employee falls prey to such an attack. In that case, they don’t just give up their own account–they give up the knowledge that a particular account name and password combination potentially works for other systems and platforms.

    Of course, if a hacker tricks an administrator with access to user credentials, then all bets are off. Such an attack can be more damaging than a database breach because the hacker can extract completely unprotected user data from the system.
  • Brute Force Attacks: While not as famous as the other versions of hacks, brute force attacks can compromise passwords in the same way as a social engineering or breach attack.

Compromised passwords are the cornerstone of credential stuffing attacks. Without stolen passwords, there is no ability to perform such an attack. 

What is a Credential Stuffing Attack?

Credential stuffing is an attack where hackers take stolen credentials from one platform and attempt to use or “stuff” them into as many different platforms, service providers, or institutions as possible. For example, suppose a hack exposes a database of usernames and passwords from a retailer. In that case, hackers will then attempt to use those credentials on hundreds of common platforms like Amazon, Facebook, Twitter, banking websites, etc. 

The timeline for a credential stuffing attack will generally follow a specific timeline:

  • Database Breach: An attack, either through a direct database hack, phishing attack, or brute force attack, uncovers a database of authentication credentials. 
  • Stolen Data Purchase or Distribution: This database is advertised, either to the public or via the dark web. Some hackers will announce their attacks and release the information to the public. Most will attempt to sell that database to the highest bidders. 

Note that a database isn’t a finite thing. Hackers will sell that information to anyone willing to pay, which means a massive potential for credential stuffing attacks. 

  • Automated Brute Force Attacks: Once a hacker has possession of an authentication database, they will feed it into automation tools that attempt to use these credentials (and, in some cases, modified versions of the credentials via dictionary or hybrid attacks) to open any other account on other popular platforms. 
  • Account Compromise: If the login credentials match another account, the hacker now has access and may use that account to launch further attacks, steal money or personal information, or commit fraud. 

When combined with password spraying tactics, stuffing can threaten users across hundreds of providers and platforms.

The Increase of Credential Stuffing Attacks

Poor cyber hygiene has led to the drastic rise in credential stuffing attacks. The unfortunate reality of cybersecurity is that the human element is often the weakest link, which is no truer than in authentication. 

How does that lead to credential stuffing attacks? Simply put, when users reuse credentials (specifically login names and passwords) across different accounts, they open up both accounts to attack. This is because if one is compromised, the other may be as well. 

In some cases, this isn’t the user’s fault–for example, if one platform experiences a data breach, the user bears some responsibility to change their passwords, but they didn’t cause the problem. However, poor judgment during a phishing attack means that a user could potentially threaten two or more systems.

And, with consumers juggling dozens of different accounts, the temptation to just use the same credentials is real. This is why, as reported by Security Intelligence, there were 193 billion credential stuffing attacks in 2020 alone. 

How Can I Defend Against Credential Stuffing Attacks?

Some of the best defenses against credential stuffing attacks are implementing best practices in your organization, and encouraging users to do the same. 

Some common defenses against credential stuffing attacks include:

  • Multi-Factor Authentication (MFA): One of the weaknesses of single-factor password authentication is that there is no way to ensure the user is who they say they are. MFA prevents this in most cases because the secondary authentication methods (biometrics, one-time passwords) will usually be tied to the user or their devices. 

If the hacker has the user’s device (unlikely in a broad stuffing attack), then advanced spoof prevention measures can close the security gap. 

  • Secondary Passwords: You can often mitigate credential stuffing by requiring other credentials, like a secondary password or PIN alongside a password. 

Note that secondary passwords aren’t MFA. Multi-factor authentication requires different types of authentication. However, multiple passwords can blunt a stuffing attack because it’s unlikely the hacker would have the right combination of two different passwords. 

  • CAPTCHA: CAPTCHA requires a human user to interact with an image or audio artifact to verify their liveness. Automated credential stuffing attacks aren’t typically equipped to interact with individual CAPTCHA challenges. However, if the attacker is targeting a specific person and not dozens, they might easily bypass this. 

Shore Up Your Password Defenses with 1Kosmos

Passwords are often the weakest link in authentication security. Users simply cannot juggle so many passwords while maintaining adequate security. The result? Unintended and risky security holes where a weakness on one platform can undermine security on another. 

What is the answer? A modern identity and authentication platform removes typical password system weaknesses. 1Kosmos BlockID offers passwordless authentication bolstered with biometrics, identity proofing, and an intuitive user experience that encourages users to employ good cyber hygiene practices. 

1Kosmos supports security against credential stuffing with the following key features:

  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification. This form of authentication would eliminate the threat of a credential stuffing attack as we eliminate credentials. 
  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone. 
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime, and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture and the encrypted data is only accessible by the user. 
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target. 
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK. 

To learn more, read our whitepaper on a passwordless distributed workforce.