DataDome
Credential Stuffing Guide

What is a Credential Stuffing Attack? Examples & Mitigation

Table of content
Kira Lempereur, Sr. Technical Writer
15 Sep, 2022
|
min

What is credential stuffing?

Credential stuffing is a type of cyberattack where hackers attempt to access user accounts using stolen or leaked username and password pairs. “Credential stuffing” is used because the attackers are literally stuffing (submitting) stolen credentials into login pages and other registration forms on multiple sites to gain access to accounts.

What do Zoom, Nintendo, GoDaddy, and Marriott have in common? They were all recent victims of large-scale credential stuffing attacks that have done significant economic and reputational damage. Credential stuffing and credential cracking are two types of automated threats that can give hackers access to your users’ online accounts.

In this article, you will learn how hackers use these two types of attack to break into your websites and mobile apps. You’ll also learn why hackers use these attacks and how a credential stuffing attack typically unfolds. Finally, you’ll learn how to protect your business from these attacks and how DataDome protects against 100% of automated OWASP threats (including credential stuffing and credential cracking attacks).

About Credential Stuffing

Credential stuffing (OAT-008) is an automated threat that uses malicious bots to “stuff” known usernames and passwords (typically sourced from data breaches) into online login pages.

Because hundreds of millions of accounts worldwide are exposed every year, and because people tend to reuse passwords across websites, hackers often succeed in gaining access to user accounts with a credential stuffing attack.

A Brief History of Credential Stuffing Attacks

In 2014, the first signs of credential stuffing attacks were identified when hackers on the dark web started offering services to monetize compromised account credentials. According to Recorded Future, early credential stuffing tools were priced between $50 and $250 and could target a specific company.

Initially, the tool would perform credential stuffing to validate the email and password sets. Hackers would then need to spend additional funds to buy advanced account checking tools to collect information from the compromised account.

Now, hackers can get started with credential stuffing attacks by investing as little as $500 in credential stuffing (otherwise known as “account checking”) software, access to email and password combo lists, and the use of both public and private proxy services for obfuscation. Today’s automated credential cracking and credential stuffing tools are designed to check hundreds of thousands of credential combinations against multiple websites.

Today, more than 90% of global e-commerce login traffic originates from billions of credential stuffing attacks.

What is credential cracking?

Credential cracking (OAT-007) is a malicious attempt to find usable login credentials by using automated brute-force password cracking tools, testing vast numbers of different values for usernames and passwords.

A credential cracking attack, sometimes called a brute force attack, is particularly successful against users that choose simple, guessable passwords- not a good way to prevent a brute force attack. Easy passwords include any password that is a dictionary word, any password below twelve characters, and any password that includes personal information.

Examples of Credential Stuffing & Credential Cracking Attacks

These real-life examples of credential stuffing outline the importance of preventing account takeover.

Dunkin Donuts

In early 2019, Dunkin’ Donuts announced it was the victim of an account takeover attack affecting 1,200 of their 10 million customers. Cybercriminals used credentials from previous data breaches to gain access to DD Perks rewards accounts, which housed member names, email addresses, a 16-digit DD Perks account number, and a DD Perks QR code. The hackers’ goal in this attack was to sell access to the compromised accounts—and the rewards points stored inside.

A few months later, the much-anticipated rollout of the Disney+ streaming service was marred by disruptions as customers tried unsuccessfully to access their accounts. The source of the problem? Credential stuffing. Just hours after the launch, Disney+ account credentials were put up for sale on dark web forums. By testing massive volumes of previously stolen usernames and passwords on the Disney+ streaming site, hackers could easily identify valid credential pairs.

Poq

The app commerce company Poq provides a SaaS platform which enables retailers to create beautiful mobile apps. Aggressive credential stuffing attacks exposed Poq’s customers to account takeover and fraud, threatening the company’s reputation. Poq implemented the DataDome bot protection solution at the platform level, and now offers credential stuffing protection as a value-added service.

These hackers went to extreme lengths to attempt to crack and bypass whatever defenses we put in place. We were always looking over our shoulders, checking our monitoring systems to see if our defenses were working, just being on high alert. All that is a thing of the past — the DataDome protection just works.

– Bala Reddy, VP of Engineering at Poq

Read Poq Customer Story →

Why do attackers use credential stuffing & credential cracking?

When a credential stuffing or credential cracking attack is successful, hackers gain access to a user’s account. This is called account takeover—the unlawful accessing of a user account to commit fraud.

Once an attacker is inside a user’s account, they can monetize compromised accounts because they now have access to linked bank accounts, credit cards, and personal data that they can use for identity theft.

The most profitable form of account takeover is credit card fraudCarding is the widespread practice of using stolen credit card numbers to either resell the hacked payment info on the dark web or purchase goods and services using false accounts with the stolen credit card info.

Carding attacks typically pick up during the main shopping holidays or when hackers know the website they’re attacking is seeing a large amount of traffic. Often, carding attacks are either lost in the traffic or seen as traffic anomalies.

Another profitable account takeover attack is stealing the private data of customers, which can then be sold on the dark web or leaked online for harmful purposes. When leaked in heavy numbers, you’re at risk of:

  • Permanently losing a large percentage of the users who have been hacked.
  • Heavy fees from data protection frameworks such as GDPR and CCPA.
  • Lost goods or services, as well as chargeback and card processing fees.
  • Lost productivity across most of your business’ departments.

The organizations primarily targeted by credential stuffing attacks include e-commerce, financial, social media, information technology, restaurants, retail, and the travel and transportation industries. This being said, every organization with a login page is at risk of a credential stuffing or cracking attack.

How do credential stuffing & credential cracking attacks work?

Credential stuffing relies on the widespread problem of password reuse to gain access to online accounts. Because 81% of individuals reuse the same or similar passwords for multiple accounts, malicious threat actors with access to a list of leaked credentials have an easy time finding valid login and password combinations. Here’s the anatomy of a typical credential stuffing attack:

  1. An attacker creates one or multiple bots that can access login pages from multiple websites in parallel. These bots are often disguised as humans and can run through many different IPs.
  2. The bots rapidly run their list of stolen credentials through the login pages of the websites and apps they’re targeting.
  3. Once they’ve gained access to a user account, the bot is programmed to take personally identifiable information, credit cards, linked bank accounts, etc. This is now an account takeover.
  4. The hacker eventually collects a vast trove of valuable information that they can either resell on the dark web or keep for other nefarious purposes.

The process is relatively similar for credential cracking, except that the bots aren’t programmed to run through a list of stolen credentials. Instead, they rapidly run through password patterns, dictionaries, or common phrases until they gain access to an account.

10,000 of the most common passwords can access 98% of all accounts.

When cybercriminals succeed in taking control of an online account, they can perform unauthorized transactions, unbeknownst to the victims. These often go undetected for a long time because logging in isn’t a suspicious action. It’s within the business logic of any website with a login page.

To give you an idea of the scale of a credential stuffing attack: a DataDome customer came under attack with 5.7 million requests from 250,000 different IP addresses and 8,000 autonomous systems across 215 countries (including dependent territories).

The hackers behind this attack were sophisticated. They tried to understand how the DataDome solution worked (and why it blocked all their bots). At first, they thought they were up against a WAF. Each IP address only generated between 10-20 requests to try to evade detection.

The Potential Consequences of a Credential Stuffing Attack

Even when unsuccessful, credential stuffing and credential cracking attacks can do significant damage. For one, all traffic needs to be paid for with server capacity and bandwidth. If you suffer from regular credential stuffing attacks, you’re effectively paying for bots that are attacking your business.

Maybe that’s not a big deal if it’s 5% of your traffic, but companies tend to underestimate the percentage of bot traffic on their websites. It’s not uncommon for bot traffic to range between 25% and even 70% of all your traffic. Wouldn’t you want your bandwidth to be fully dedicated to genuine users instead?

In addition, the traffic spikes of credential stuffing and cracking attacks can lead to poor site performance and even site downtime. Any slow webpage is frustrating, but a slow or broken login page is even worse. It makes users suspicious of your website, particularly if they’ve linked their bank details and credit cards.

That’s only if the credential stuffing and credential cracking attacks are unsuccessful—and you can’t tempt fate for too long. At some point, if you’re not properly protected, attacks will succeed and hackers will break into your users’ accounts. We’ve already briefly touched on the dangers of account takeovers, but you can read much more about it in our guide to account takeover fraud prevention.

How to Detect Credential Stuffing Attacks

There are some key indicators that you can look out for in order to effectively detect credential stuffing attacks. Some core signs to look out for are:

  • Changes in website traffic. Look for things like multiple login attempts on different accounts, within a short timeframe.
  • If your login-failure rate is higher than usual, make sure to take time to fully look into it.
  • If your site experiences downtime due to increased website traffic, make sure to research what caused it.

The above are a few basic ways that you can detect credential stuffing and cracking. However, they are not enough.

It is essential to invest in the correct processes and software to ensure that you are able to fully detect and prevent credential stuffing and credential cracking attacks.

How to Prevent Credential Stuffing Attacks

Traditional security solutions tend to rely heavily on IP reputation. They assume that any malicious activity from an IP address means that all activity from that IP is likely to be hostile. Today, threat actors distribute bots via residential IPs that have excellent reputations—the requests these IPs send are indistinguishable from those generated by ordinary users. IP-based approaches are, therefore, no longer efficient.

A few ways to detect and prevent credential stuffing and credential cracking attacks are:

  • A multi-factor authentication (MFA) option for accounts.
  • Encouraging the use of password managers for unique, strong password generation.
  • Monitoring web traffic for the same IP with varying subnets (a sign of a proxy service).
  • Investigating cybercriminal underground activities for schemes targeting your company.
  • Training workforce members to defend against automated e-commerce bot attacks.

But to efficiently protect against credential stuffing and credential cracking, you need a security solution with real-time detection and protection capabilities.

A good bot and online fraud detection solution will be able to quickly identify visitor behavior that shows signs of credential cracking or credential stuffing attempts. To correctly identify fraudulent traffic and block credential cracking and stuffing attacks, the bot detection solution must analyze both technical and behavioral data.

Technical data may include such information as user agent, IP owner, and geolocation. Behavioral signs of bot activity could be the number of hits per IP address, crawling speed, crawling frequency, and many others.When malicious bots are detected, account fraud detection software can then either trigger alerts or automatically block the bots before your user accounts are compromised. While all this occurs, the user experience for genuine human visitors must not be disturbed.

Prevent Credential Stuffing, Credential Cracking, & ATO Attacks With DataDome Account Protect

Since both bots and humans now use the same browsers and IP addresses, efficient credential stuffing protection requires advanced detection capabilities. Account Protect goes beyond bot protection, building a more complete picture of user activity to spot red flags that may indicate fraud. By analyzing signals such as username/email address, time/location, geolocation, etc., we can identify account fraud—credential stuffing, credential cracking, and ATO, among others—with great precision and zero compromises.

Account Protect fights fraud on autopilot 24/7, giving you peace of mind and protecting your customers. Ready to finally put an end to credential stuffing and other types of account fraud? Start your free trial or contact us to request a demo.