Credential stuffing is a type of

cyberattack A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted ...

in which the attacker collects stolen account credentials, typically consisting of lists of

username A user is a person who utilizes a computer or Computer network, network Service (systems architecture), service. A user often has a user account and is identified to the system by a username (or user name). Other terms for username includ ...

s and/or

email addresses An email address identifies an email box to which messages are delivered. While early messaging systems used a variety of formats for addressing, today, email addresses follow a set of specific rules originally standardized by the Internet Engineer ...

and the corresponding

password A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...

s (often from a

data breach A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, info ...

), and then uses the credentials to gain unauthorized access to

user account A user is a person who utilizes a computer or network service. A user often has a user account and is identified to the system by a username (or user name). Other terms for username include login name, screenname (or screen name), accoun ...

s on other systems through large-scale automated login requests directed against a

web application A web application (or web app) is application software that is accessed using a web browser. Web applications are delivered on the World Wide Web to users with an active network connection. History In earlier computing models like client-serve ...

. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number (thousands to millions) of previously discovered credential pairs using standard web automation tools such as

Selenium Selenium is a chemical element with the symbol Se and atomic number 34. It is a nonmetal (more rarely considered a metalloid) with properties that are intermediate between the elements above and below in the periodic table, sulfur and tellurium, ...

cURL cURL (pronounced like "curl", UK: , US: ) is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various network protocols. The name stands for "Client URL". History cURL was fi ...

PhantomJS PhantomJS is a discontinued headless browser used for automating web page interaction. PhantomJS provides a JavaScript API enabling automated navigation, screenshots, user behavior and assertions making it a common tool used to run browser-based ...

or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet. Credential stuffing attacks are possible because many users reuse the same username/password combination across multiple sites, with one survey reporting that 81% of users have reused a password across two or more sites and 25% of users use the same passwords across a majority of their accounts. In 2017, the FTC issued an advisory suggesting specific actions companies needed to take against credential stuffing, such as insisting on secure passwords and guarding against attacks. According to former

Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...

click fraud czar

Shuman Ghosemajumder Shuman Ghosemajumder (born 1974) is a Canadian technologist, entrepreneur, and author. He is the former click fraud czar at Google, the author of works on technology and business including the Open Music Model, and co-founder of TeachAids. He was ...

, credential stuffing attacks have up to a 2% login success rate, meaning that one million stolen credentials can take over 20,000 accounts.

Wired Magazine ''Wired'' (stylized as ''WIRED'') is a monthly American magazine, published in print and online magazine, online editions, that focuses on how emerging technologies affect culture, the economy, and politics. Owned by Condé Nast, it is headquar ...

described the best way to protect against credential stuffing is to use unique passwords on accounts, such as those generated automatically by a

password manager A password manager is a computer program that allows users to store and manage their passwords for local applications and online services. In many cases software used to manage passwords allow also generate strong passwords and fill forms. Pas ...

, enable two-factor authentication, and to have companies detect and stop credential stuffing attacks.

Credential spills

Credential stuffing attacks are considered among the top threats for web and mobile applications as a result of the volume of credential spills. More than three billion credentials were spilled through online data breaches in 2016 alone.

Origin

The term was coined by Sumit Agarwal, co-founder of Shape Security, who was serving as

Deputy Assistant Secretary of Defense Assistant Secretary of Defense is a title used for many high-level executive positions in the Office of the Secretary of Defense within the U.S. Department of Defense. The Assistant Secretary of Defense title is junior to Under Secretary of Defen ...

at the

Pentagon In geometry, a pentagon (from the Greek πέντε ''pente'' meaning ''five'' and γωνία ''gonia'' meaning ''angle'') is any five-sided polygon or 5-gon. The sum of the internal angles in a simple pentagon is 540°. A pentagon may be simpl ...

at the time.

Incidents

On 20 August 2018, U.K. health and beauty retailer

Superdrug Superdrug Stores plc (trading as Superdrug) is a health and beauty retailer in the United Kingdom, and the second largest behind Boots UK. The company is owned by A.S. Watson (Health & Beauty UK) Ltd which is part of the A.S. Watson Group. It ...

was targeted with an attempted blackmail, with hackers showing purported evidence that they had penetrated the company's site and downloaded 20,000 users' records. The evidence was most likely obtained from hacks and spillages and then used as the source for credential stuffing attacks to glean information to create the bogus evidence. In October and November 2016, attackers gained access to a private

GitHub GitHub, Inc. () is an Internet hosting service for software development and version control using Git. It provides the distributed version control of Git plus access control, bug tracking, software feature requests, task management, continuous ...

repository used by

Uber Uber Technologies, Inc. (Uber), based in San Francisco, provides mobility as a service, ride-hailing (allowing users to book a car and driver to transport them in a way similar to a taxi), food delivery (Uber Eats and Postmates), package ...

(Uber BV and Uber UK) developers, using employees' usernames and passwords that had been compromised in previous breaches. The hackers claimed to have hijacked 12 employees' user accounts using the credential-stuffing method, as email addresses and passwords had been reused on other platforms.

Multi-factor authentication Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting ...

, though available, was not activated for the affected accounts. The hackers located credentials for the company's AWS datastore in the repository files, which they used to obtain access to the records of 32 million non-US users and 3.7 million non-US drivers, as well as other data contained in over 100 S3 buckets. The attackers alerted Uber, demanding payment of $100,000 to agree to delete the data. The company paid through a

bug bounty program A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabiliti ...

but did not disclose the incident to affected parties for more than a year. After the breach came to light, the company was fined £385,000 (reduced to £308,000) by the U.K.

Information Commissioner's Office The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Digital, Culture, Media and Sport (DCMS). It is the independe ...

. In 2019 Cybersecurity research firm Knight Lion Security claimed in a report that credential stuffing was favored attack method for

GnosticPlayers GnosticPlayers is a computer hacking group, which is believed to have been formed in 2019 and gained notability for hacking Zynga, Canva, and several other online services. ''The Independent'' reported that GnosticPlayers had claimed responsibilit ...

Compromised credential checking

Compromised credential checking is a technique enabling users to be notified when passwords are breached by websites, web browsers or password extensions. In February 2018, British computer scientist

Junade Ali Junade Ali is a British computer scientist known for research in cybersecurity.CEng registration number ''673221''. https://www.engc.org.uk/regcheck Ali studied for a Master of Science degree aged 17 and was awarded Chartered Engineer status b ...

created a communication protocol (using ''k''-anonymity and

cryptographic hashing A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography: * the probability of a particular n-bit output re ...

) to anonymously verify whether a password was leaked without fully disclosing the searched password. This protocol was implemented as a public API and is now consumed by multiple websites and services, including

s and

browser extension A browser extension is a small software module for customizing a web browser. Browsers typically allow a variety of extensions, including user interface modifications, cookie management, ad blocking, and the custom scripting and styling of web p ...

s. This approach was later replicated by

's Password Checkup feature. Ali worked with academics at

Cornell University Cornell University is a private statutory land-grant research university based in Ithaca, New York. It is a member of the Ivy League. Founded in 1865 by Ezra Cornell and Andrew Dickson White, Cornell was founded with the intention to teach an ...

to develop new versions of the protocol known as Frequency Smoothing Bucketization (FSB) and Identifier-Based Bucketization (IDB). In March 2020,

cryptographic padding In cryptography, padding is any of a number of distinct practices which all include adding data to the beginning, middle, or end of a message prior to encryption. In classical cryptography, padding may include adding nonsense phrases to a message ...

was added to the protocol.

Compromised credential checking implementations

{, class="wikitable" , - ! Protocol ! Developers ! Made Public ! References , - ,

k-Anonymity ''k''-anonymity is a property possessed by certain anonymized data. The concept of ''k''-anonymity was first introduced by Latanya Sweeney and Pierangela Samarati in a paper published in 1998 as an attempt to solve the problem: "Given person-speci ...

(

Cloudflare Cloudflare, Inc. is an American content delivery network and DDoS mitigation company, founded in 2009. It primarily acts as a reverse proxy between a website's visitor and the Cloudflare customer's hosting provider. Its headquarters are in San ...

Troy Hunt Troy Adam Hunt is an Australian web security consultant known for public education and outreach on security topics. He created Have I Been Pwned?, a data breach search website that allows users to see if their personal information has been com ...

(

Have I Been Pwned? Have I Been Pwned? (HIBP; with "Pwned" pronounced like "poned", and stylized in all lowercase as "';--have i been pwned?" on the website) is a website that allows Internet users to check whether their personal data has been compromised by ...

) , 21 February 2018 , , - , Frequency Smoothing Bucketization & Identifier Based Bucketization ,

(Lucy Li, Bijeeta Pal, Rahul Chatterjee, Thomas Ristenpart),

(

, Nick Sullivan) , May 2019 , , - , Google Password Checkup (GPC) ,

Stanford University Stanford University, officially Leland Stanford Junior University, is a private research university in Stanford, California. The campus occupies , among the largest in the United States, and enrolls over 17,000 students. Stanford is consider ...

, August 2019 , , - , Active Credential Stuffing Detection ,

University of North Carolina at Chapel Hill A university () is an institution of higher (or tertiary) education and research which awards academic degrees in several academic disciplines. Universities typically offer both undergraduate and postgraduate programs. In the United States ...

(Ke Coby Wang, Michael K. Reiter) , December 2019 , {{cite book , last1=Wang , first1=Ke Coby , last2=Reiter , first2=Michael K. , title=Detecting Stuffing of a User's Credentials at Her Own Accounts , date=2020 , pages=2201–2218 , arxiv=1912.11118 , isbn=9781939133175 , url=https://www.usenix.org/conference/usenixsecurity20/presentation/wang , language=en

References

External links

*
OWASP entry on Credential Stuffing
Password authentication