Credential Stuffing: How Cybercriminals Exploit Stolen Credentials

Credential stuffing is shaping up to be one of the most predominant hacking methods of 2024. In early June, Ticketmaster fell victim to a data breach via credential stuffing, exposing information from 560 million customers. Credential stuffing attacks involve using stolen usernames and passwords to access accounts. In these attacks, threat actors also often use automation to try different combinations of credentials until they find a successful match. 

So, how can your security team prepare for these kinds of cyberattacks? Below, we explain what you need to know and strategies for prevention, detection, and remediation. 

Understanding Credential Stuffing

People often choose convenience over security and reuse passwords across multiple services. Credential stuffing aims to take advantage of that fact. Once a data breach or infostealing malware exposes login details from one site, those credentials are added to a database that hackers use to test against other sites. 

According to OWASP, credential stuffing typically begins with an attacker sourcing usernames and passwords from a website breach, phishing attack, or a password dump site where previously stolen credentials are published. Attackers then use automated scripts and bots to rapidly input thousands — sometimes millions — of credential pairs into a site login page. If a login on any test site is successful, the attacker knows they have valid credentials that can likely be used on other sites. 

These attacks can be devastating to both individuals and organizations. For individuals, stolen credentials can lead to unauthorized access to personal accounts, resulting in financial loss, identity theft, and compromised private information. For organizations, the impact can be even more severe. A successful credential stuffing attack can lead to significant financial losses through fraud, reputational damage, legal ramifications, and loss of consumer trust. 

Credential stuffing has been used successfully against many high-profile companies in recent years. Just hours after the launch of Disney+ in 2019, thousands of user credentials were stolen from the platform and listed for sale on the dark web. In a 2022 attack targeting DraftKings, hackers stole $300,000 and data from 67,000 users. In 2023, both PayPal and 23andMe fell victim to credential stuffing. Attacks on other high-profile companies continue in 2024, with major companies reporting large-scale credential stuffing attacks on user accounts. Okta warned users in April of an uptick in credential stuffing attacks against one of its authentication features. That same month, Roku announced that a credential stuffing attack impacted 591,000 customer accounts. 

Preventing Credential Stuffing

The first step companies can take to protect their credentials is to encourage users to create unique passwords for each of their accounts to minimize the risk of one breach compromising multiple sites. Additionally, research from Microsoft found that multi-factor authentication (MFA) is over 99.9% effective at preventing credential stuffing because it requires another form of verification in addition to a password, adding an extra layer of security. 

MFA typically uses knowledge, possession, and inherence factors to confirm a user’s identity. Knowledge factors are the most common and are usually a security question that only the user would know the answer to. Possession factors involve objects like badges or keys that the user needs to have in their current possession to gain access, and inherence factors are usually biometric information like a fingerprint or voice pattern. Even if an attacker has a user’s valid credentials, the hacker will have greater difficulty accessing an account if MFA is enabled. 

Service providers can also use rate limiting, a technique that controls the rate at which requests are sent and processed. This method limits the number of requests that can reach a server in a given period, disrupting the automated tools attackers use to input credentials into a site, slowing down their process, and giving the site time to react to potential threat alerts. 

Security teams can also establish automated baselines of standard user behavior and leverage tools to identify potentially compromised credentials. With Devo SOAR playbooks, for example, you can automatically take steps to respond to an incident, either fully automated or by alerting appropriate personnel, to authorize the correct response through a one-click approval process when behavior varies from normal activity.

Get Your Defenses Ready

Given the ease with which attackers can execute these attacks using automated tools and the scale of attacks we’ve seen so far in 2024, security teams must ensure they’re implementing the right tools and processes to ensure they’re prepared. Organizations must adopt multifaceted strategies, including multi-factor authentication, monitoring for unusual login activities, and encouraging employees to use complex, unique passwords to defend against these attacks.

In the wake of the recent uptick in credential stuffing and identity-based cyberattacks, most notably the targeted credential theft campaign against Snowflake customers, Devo has helped its end users bring Snowflake logs into Devo’s platform and, using the information uncovered by the ongoing investigation, created a new set of queries to create alerts. Devo will monitor this situation — and others that arise — to continue to provide guidance and resources to our customers. 

Does your organization need to uplevel its cybersecurity solutions and processes to prevent and mitigate these kinds of incidents? Contact our experts to learn how Devo can help you monitor for suspicious activity.