Credential Stuffing In Cyber Attacks

Credential Stuffing In Cyber Attacks

Stolen usernames and passwords in attempts to gain access to additional accounts and systems is called credential stuffing in cyber attacks. For example, a cybercriminal may obtain a target’s username and password for a social media account and use those same login credentials to try and access the victim’s other systems (e.g., email accounts, banking applications or workplace networks). From there, the cybercriminal could steal sensitive data stored on these systems and even use this information to engage in other nefarious acts, such as illegal fund transfers. These cyberattacks operate under the assumption that individuals often utilize the same login credentials across different systems, thus allowing a cybercriminal to leverage just one username and password combination to compromise multiple accounts. According to research from software company NortonLifeLock, over half (52%) of individuals repeat usernames and passwords among their systems, making them increasingly vulnerable to credential stuffing incidents.

In addition to compromising individuals’ accounts, these cyberattacks can also pose significant consequences for businesses. In fact, Ponemon Institute recently reported that businesses lose an average of $6 million each year to credential stuffing incidents by way of application downtime, lost customers and heightened IT expenses. Further, these cyberattacks are on the rise. According to research from software company Arkose Labs, more than 2.8 billion credential stuffing incidents occurred in 2021, representing a 98% increase from 2020. As such, it’s vital for businesses to take steps to protect against these cyberattacks.

This article explains how credential stuffing incidents work, describes why these cyberattacks are on the rise, provides examples of recent incidents and outlines key prevention measures for businesses to consider.

How Credential Stuffing Incidents Work

A credential stuffing cyberattack generally takes place in four main phases. Here’s a breakdown of those phases:

1. Obtaining login credentials—First, a cybercriminal will compile a list of stolen usernames and passwords from a number of victims. The cybercriminal may obtain these login credentials in various ways, such as by deploying phishing scams or purchasing them on the dark web. According to a recent audit conducted by security firm Digital Shadows, there are more than 15 billion stolen usernames and passwords circulating on the internet stemming from nearly 10,000 data breaches.
2. Setting up a botnet—Next, the cybercriminal will input their list of stolen login credentials within a robot network, also called a botnet. A botnet is a collection of devices injected with malware in order to be controlled by a single party and leveraged in cyberattacks. The cybercriminal will use the botnet to test the stolen usernames and passwords against multiple websites and systems at once, searching for possible matches.
3. Identifying successful login attempts—After using the botnet to test stolen usernames and passwords, the cybercriminal will take note of any successful login attempts and review the accounts or systems they have gained access to.
4. Compromising accounts, systems and data—Lastly, the cybercriminal will leverage their unsolicited access to victims’ accounts and systems to engage in a variety of harmful activities. These activities may include changing account settings, taking over systems, exposing sensitive information, making fraudulent purchases, transferring funds or conducting further cyberattacks.

Why Credential Stuffing Incidents Are on the Rise

In recent years, credential stuffing cyberattacks have become a growing concern, increasing in both cost and frequency. There are several reasons behind this trend, including the following:

  • Greater credential availability—A surging number of login credentials have been exposed online over the past few years, largely due to a rise in data breaches. As a result, cybercriminals have been granted easier access to stolen usernames and passwords, making credential stuffing incidents increasingly common.
  • Further technology advancements—The technology utilized to conduct credential stuffing cyberattacks, such as botnets and similar automation tools, has also advanced over time. These technology developments have helped cybercriminals bypass traditional login security measures across different devices and systems, as well as increase the speed at which they are able to test stolen credentials. Altogether, such advancements have allowed cybercriminals to boost both the efficiency and simplicity of credential stuffing incidents.
  • Reduced entry barriers—In response to the previously mentioned developments, the overall costs and skills required to conduct credential stuffing incidents has fallen, therefore lowering entry barriers and permitting a larger pool of cybercriminals to launch these cyberattacks. Currently, cybersecurity experts estimate that a credential stuffing incident can be deployed for as little as $50.
  • Increased remote work issues—The proportion of remote workers has skyrocketed in the last couple of years—a trend that is expected to continue for the foreseeable future. Yet, many remote employees lack the same security capabilities within their home offices and personal devices when compared to their workplace offerings, making them more vulnerable to cyberattacks (including credential stuffing incidents).
  • Added detection difficulties—To help identify and combat cyberattacks, many individuals and businesses have installed various types of security software on their technology. However, because credential stuffing incidents involve cybercriminals using genuine usernames and passwords and impersonating legitimate parties, these cyberattacks have proven more challenging for certain software to detect and fight against. These detection difficulties have subsequently made credential stuffing incidents a more attractive attack method among cybercriminals.

Examples of Credential Stuffing Incidents

Multiple notable credential stuffing cyberattacks have occurred within the last few years, affecting several well-known businesses, their employees and their customers. Some of these incidents include:

  • Marriott International—In 2018, the hospitality company Marriott International experienced a credential stuffing cyberattack when a hacker obtained two employees’ login details and used them to compromise sensitive data belonging to more than 5 million customers stored within company systems.
  • Zoom—During the rise of remote work and videoconferencing in 2020, cybercriminals launched a credential stuffing incident against software company Zoom, stealing 500,000 customer usernames and passwords and selling this information to online crime forums.
  • Nintendo—Also in 2020, hackers deployed a credential stuffing cyberattack against video game company Nintendo, resulting in account takeovers and financial losses for 160,000 customers.
  • Spotify—In 2021, audio streaming company Spotify faced a credential stuffing incident when cybercriminals obtained login details from a malicious database to compromise more than 100,000 customers’ accounts.

Considering these cyberattacks and their associated consequences, it’s evident that businesses need to implement measures to help prevent and mitigate potential losses stemming from credential stuffing incidents.

Steps Businesses Can Take For Protection Against Credential Stuffing

Businesses should consider the following measures to effectively avoid and minimize damages resulting from credential stuffing cyberattacks:

  • Establish password protocols. Require employees to create complex and unique passwords for all workplace accounts and systems. These passwords should vary between each individual account and system to help reduce the likelihood of credential stuffing incidents. It may also be valuable to provide employees with access to password management programs to keep track of their credentials.
  • Utilize effective security software. Certain security software can be particularly useful in identifying and mitigating credential stuffing cyberattacks. Such software includes botnet detection technology, website application firewalls, internet traffic filters and multifactor authentication tools. This software should be installed on all workplace devices and updated regularly to ensure effectiveness. Employees should also be required to utilize this software on personal devices if they use such technology for work purposes.
  • Conduct cybersecurity awareness training. Employees should receive routine training on potential cyber threats and ways to mitigate them. In the context of credential stuffing incidents, it’s crucial to educate employees on the importance of maintaining proper password hygiene, keeping up with security software updates and looking for signs that their accounts or systems may have been compromised (e.g., changed settings, modified data, unsolicited purchases or missing funds).
  • Have a plan. Establishing a cyber incident response plan can help ensure necessary procedures are taken when cyberattacks occur, thus keeping related damages at a minimum. This plan should be well-documented, practiced regularly and address a range of cyberattack scenarios (including credential stuffing incidents).
  • Secure sufficient coverage. Finally, it’s critical to purchase adequate cyber insurance to help protect against losses that may arise from credential stuffing incidents. It’s best to consult a trusted insurance professional to discuss specific coverage needs.

Conclusion

Ultimately, credential stuffing cyberattacks are a rising threat for all businesses, with the potential to progressively worsen going forward. Through the implementation of proper prevention and response measures, and a well-planned Cyber Policy businesses can stay sufficiently protected from these incidents. For more risk management guidance, and getting your infrastructure covered by a cyber insurance policy contact us today. 

This Cyber Risks & Liabilities document is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. © 2022 Zywave, Inc. All rights reserved.