What is credential stuffing and why should you care?
Credential stuffing, is a simple but effective technique to take over more of your online accounts using a known set of credentials.
It’s scarily simple. The attacker takes one of your username and password combinations that has been leaked online, and tries them against a long list of other websites. If a match is found, they add them to the list of working credentials, ready to be sold on, or used for malicious purposes.
But how do you know my username and password?
Have you ever signed up for an online service? Maybe a few forums? It’s becoming well known that companies can be extremely valuable if they can build a database of thousands, or even millions of user accounts. The more details they can record against these accounts, the better.
So everyone is at it! It’s rare to visit a website that doesn’t offer some kind of “login or create an account” option, offering all kinds of benefits behind a curtain.
If nothing else, our FOMO gets us to sign up on some sites!
The issue, is that these sites are getting breached all the time! Their databases of usernames and passwords are being hacked and harvested and then published (or sold) on the Internet.
Of course as an attacker, having to crawl through hundreds or even thousands of username and password data dumps is a little inconvenient. Luckily, these have been lumped together in what has been branded as “collections”. The most notable being “collection #1”, that had 773 million sets of credentials (https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/).
How do they use the credentials?
The task is to test millions of sets of credentials against thousands of different websites to see if any of them successfully log in.
To get the job done quickly, the attackers will use automation scripts, leaving computers running day and night working through the lists, marking the successful matches.
Why are they doing it?
Simply put, there’s money in it. The value can range from a few £ to several hundred per item, depending on what you can do with it.
The value is based on a few factors:
- How convincingly can they use the credentials to impersonate you?
- What can they do with each specific set of credentials if they find a match
At the low end, maybe valued at £1-2, would be a website login that can be used to damage your reputation.
Moving up are credentials that hold richer PII (personally identifiable information) that can be used for social engineering, or have the ability to unlock other accounts. For example, if an attacker had access to your email account, they could use it to perform password resets on other services you signed up for.
Further at the top would be credentials that hold direct value. This can be things like air miles, loyalty card points, successful Fortnite accounts, virtual currency, or just plain money.
How do I protect against it?
There’s a few things you can do to protect against credential stuffing.
First off, use MFA whenever possible. Although not foolproof, it is a significant security enhancement that will make it much harder for the attacker to access your online accounts. It means that even if an attacker knows your username and password, they also need to get a continuously rotating 6-digit number from your phone or Authenticator app.
The second recommendation is to use a different password for each web service. This means that if an attacker gets one of your passwords right, it will be isolated to that one compromised web service.
Of course trying to remember hundreds of passwords may seem a little daunting. To help with this, we would recommend using a password manager. There’s a range of paid and free password manager tools like 1Password, LastPass, and Dashlane available that can generate and store randomised passwords for each individual service.
The last recommendation is to check your email address and passwords with https://haveibeenpwned.com/. This is a free service that can let you know whether your email or passwords have shown up on leaked credential lists. This way, you’ll know if you need to change them.