You may have noticed this happening more and more lately: Online accounts get taken over in droves, but the companies insist that their systems haven’t been compromised. It’s maddening, but in many cases, technically they’re right. The real culprit is a hacker technique known as “credential stuffing.”
The strategy is pretty straightforward. Attackers take a massive trove of usernames and passwords (often from a corporate megabreach) and try to “stuff” those credentials into the login page of other digital services. Because people often reuse the same username and password across multiple sites, attackers can often use one piece of credential info to unlock multiple accounts. In the last few weeks alone, Nest, Dunkin’ Donuts, OkCupid, and the video platform DailyMotion have all seen their users fall victim to credential stuffing.
“With all of the massive credential dumps that have happened over the past few years, credential stuffing has become a serious threat to online services,” says Crane Hassold, a threat intelligence manager at the digital fraud defense firm Agari. “Most people don’t change their passwords regularly, so even older credential dumps can be used with relative success. And since password reuse is rampant, cybercriminals will generally test a set of credentials against numerous different websites.”
Credential stuffing has been a problem for years now, as troves of credentials from seminal breaches like LinkedIn and Dropbox in 2012 and Myspace in 2013 have been used—to great effect!—in countless credential stuffing campaigns. But one trend in particular has fueled a recent rise in successful campaigns.
Recently hackers have posted more gigantic, aggregated credential collections that comprise multiple data breaches. One of the most wild recent examples is known as Collection #1-5, a “breach of breaches” that totaled 2.2 billion unique username and password combinations, all available to download in plaintext—for free.
“With Collections 1 through 5 we have actually seen spikes in credential stuffing recently, immediately after that news came out,” says Shuman Ghosemajumder, chief technical officer at the corporate digital fraud defense firm Shape Security. “In fact, we saw some of the largest credential stuffing attacks across several customers in just that week. And that makes sense because you’ve got all these plaintext usernames and passwords available through a torrent. It democratizes credential stuffing.”
The Collection credentials are mostly a few years old, meaning many were already in broad circulation and not worth much. But over the last week, another outlandish trove has provided exactly the type of fresh, high-quality credentials hackers cherish. Posted on the Dream Market dark web marketplace, the collection includes a total of roughly 841 million records, released in three batches, from 32 web services, including MyFitnessPal, MyHeritage, Whitepages, and the file-sharing platform Ge.tt. The first part of the dump costs about $20,000 in bitcoin, the second about $14,500, and the third roughly $9,350. A few of the breaches don’t include passwords, and some that do are protected by cryptographic scrambling that buyers will need to decode, but overall these are top-shelf troves ripe for use in credential stuffing.
As you’ve probably guessed, credential stuffing relies on automation; hackers aren’t literally typing in hundreds of millions of credential pairs across hundreds of sites by hand. Credential stuffing attacks also can’t try massive numbers of logins on a site with all the tries coming from the same IP address, because web services have basic rate-limiting protections in place to block floods of activity that could be destabilizing.
So hackers use credential stuffing tools, available on malicious platforms, to incorporate “proxy lists” to bounce the requests around the web and make them look like they’re coming from all different IP addresses. They can also manipulate properties of the login requests to make it look like they come from a diverse array of browsers, because most websites will flag large amounts of traffic all coming from the same type of browser as suspicious. Credential stuffing tools will even offer integrations with platforms built to defeat Captchas.
Credential stuffing campaigns ultimately try to get the malicious requests to blend into the noise of all the legitimate logins happening on a service at any given time, or “simulate the activity of a large population of humans,” as Shape Security’s Ghosemajumder puts it.
It also requires patience; Shape estimates that typically attackers find matches between their test credentials and an account on the platform they are attacking 0.1 to 2 percent of the time. This is why attackers need hundreds of thousands or millions of credential pairs to make credential stuffing attacks worth it. And once they’ve gotten into some accounts, attackers still need a way to monetize what they find there—either by stealing more personal data, money, gift card balances, credit card numbers, and so on—to make the whole thing worthwhile.
Th best way to protect against credential stuffing attacks is to use unique passwords for each of your digital accounts—ideally by using a password manager—and turn on two-factor authentication when it’s available. But it’s not entirely on you. Companies, too, are increasingly attempting to detect and block credential stuffing attempts. And some like Google (which also owns Nest) have started initiatives to proactively check whether users’ account credentials have been compromised in breaches and trigger password resets if they discover a match. But the trick is to do all of this without blocking or hindering legitimate activity.
One strategy companies can deploy is to track logins that ultimately result in fraud, then blacklist the associated IP address. Over time, this can erode the effectiveness of the proxy lists attackers rely on to mask their mass login attempts. This doesn’t completely stop credential stuffing, but does make it more difficult and potentially costly for hackers to carry out the attacks. Services whose users are mainly in specific geographic regions can also establish geofences, blocking proxy traffic that comes in from elsewhere in the world. Once again, though, attackers can ultimately adapt to this restriction as well by switching to using proxy IPs within those areas.
A recent credential stuffing attack against the productivity and project management service Basecamp helps illustrate the problem. The company reported recently that it had faced 30,000 malicious login attempts from a diverse set of IP addresses in a single hour. The company began blocking the IPs as quickly as possible, but needed to implement a Captcha to ultimately end the attack. When the barrage died down, Basecamp found that the attackers had only succeeded in penetrating 124 accounts; the company quickly reset those account passwords to revoke the attackers’ access.
Many companies aren’t as prepared to handle the scale of the credential stuffing threat. Shape Security’s Ghosemajumder says that it’s pretty typical at this point for corporate clients to see 90 percent of their logins come from malicious attacks. He has even worked with customers who deal with credential stuffing in 99.9 percent of login attempts to their service. And while credential dumps from leaks and breaches are the primary fuel for these attacks, criminals can also diversify their approach by using credential pairs gathered from phishing attacks.
“Most credential stuffing uses information obtained from the major data breaches,” Agari’s Hassold says. “But over the past few years there has been a shift in the credential phishing landscape to target generic account credentials that are then ‘stuffed’ into a number of different websites.”
Though it is frustrating when companies insist that they haven’t been breached and deny responsibility for protecting their users from credential stuffing attacks, the truth is that service providers don’t have a foolproof way of defending against this threat. As Basecamp’s CTO and co-founder David Heinemeier Hansson put it after the service’s recent incident, “Our ops team will continue to monitor and fight any future attacks. … But if someone has your username and password, and you don’t have 2FA protection, there are limits to how effective this protection can be.”
For such a simple technique, credential stuffing is frustratingly difficult to quash. So keep your passwords as diverse as possible and use two-factor whenever you can. And complain loudly on social media about any web service that isn’t offering it.