Credential stuffing is a type of

cyberattack A cyberattack (or cyber attack) occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content. The rising dependence on increasingly complex and inte ...

in which the attacker collects stolen account

credentials A credential is a piece of any document that details a qualification, competence, or authority issued to an individual by a third party with a relevant or '' de facto'' authority or assumed competence to do so. Examples of credentials include ac ...

, typically consisting of lists of

username A user is a person who uses a computer or Computer network, network Service (systems architecture), service. A user often has a user account and is identified to the system by a username (or user name). Some software products provide serv ...

s or email addresses and the corresponding

password A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services t ...

s (often from a

data breach A data breach, also known as data leakage, is "the unauthorized exposure, disclosure, or loss of personal information". Attackers have a variety of motives, from financial gain to political activism, political repression, and espionage. There ...

), and then uses the credentials to gain unauthorized access to

user account A user is a person who uses a computer or network service. A user often has a user account and is identified to the system by a username (or user name). Some software products provide services to other systems and have no direct end use ...

s on other systems through large-scale automated login requests directed against a

web application A web application (or web app) is application software that is created with web technologies and runs via a web browser. Web applications emerged during the late 1990s and allowed for the server to dynamically build a response to the request, ...

. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number (thousands to millions) of previously discovered credential pairs using standard web automation tools such as

Selenium Selenium is a chemical element; it has symbol (chemistry), symbol Se and atomic number 34. It has various physical appearances, including a brick-red powder, a vitreous black solid, and a grey metallic-looking form. It seldom occurs in this elem ...

cURL cURL (pronounced like "curl", ) is a free and open source computer program for transferring data to and from Internet servers. It can download a URL from a web server over HTTP, and supports a variety of other network protocols, URI scheme ...

, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet. Credential stuffing attacks are possible because many users reuse the same username/password combination across multiple sites, with one survey reporting that 81% of users have reused a password across two or more sites and 25% of users use the same passwords across a majority of their accounts. In 2017, the FTC issued an advisory suggesting specific actions companies needed to take against credential stuffing, such as insisting on secure passwords and guarding against attacks. According to former

Google Google LLC (, ) is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial ...

click fraud czar Shuman Ghosemajumder, credential stuffing attacks have up to a 2% login success rate, meaning that one million stolen credentials can take over 20,000 accounts. ''

Wired Wired may refer to: Arts, entertainment, and media Music * ''Wired'' (Jeff Beck album), 1976 * ''Wired'' (Hugh Cornwell album), 1993 * ''Wired'' (Mallory Knox album), 2017 * "Wired", a song by Prism from their album '' Beat Street'' * "Wired ...

'' magazine described the best way to protect against credential stuffing is to use unique passwords on accounts, such as those generated automatically by a

password manager A password manager is a software program to prevent password fatigue by Random password generator, automatically generating, Autofill, autofilling and storing Password, passwords. It can do this for Application software, local applications or web ...

, enable

two-factor authentication Multi-factor authentication (MFA; two-factor authentication, or 2FA) is an electronic authentication method in which a user is granted access to a website or Application software, application only after successfully presenting two or more distin ...

, and to have companies detect and stop credential stuffing attacks.

Credential spills

A credential spill, alternatively referred to as a data breach or leak, arises when unauthorized individuals or groups illicitly obtain access to sensitive user credentials that organizations store. Such credentials frequently comprise usernames, email addresses, and passwords. The repercussions of credential spills can be significant, as they commonly subject users to a range of hazards, including identity theft, financial fraud, and unauthorized account infiltration. Credential stuffing attacks are considered among the top threats for web and mobile applications as a result of the volume of credential spills. More than three billion credentials were spilled through online data breaches in 2016 alone.

Origin

The term was coined by Sumit Agarwal, co-founder of Shape Security, who was serving as

Deputy Assistant Secretary of Defense Deputy or depute may refer to: * Steward (office) * Khalifa, an Arabic title that can signify "deputy" * Deputy (legislator), a legislator in many countries and regions, including: ** A member of a Chamber of Deputies, for example in Italy, Spai ...

at the

Pentagon In geometry, a pentagon () is any five-sided polygon or 5-gon. The sum of the internal angles in a simple polygon, simple pentagon is 540°. A pentagon may be simple or list of self-intersecting polygons, self-intersecting. A self-intersecting ...

at the time.

Incidents

On 20 August 2018, U.K. health and beauty retailer Superdrug was targeted with an attempted blackmail, with hackers showing purported evidence that they had penetrated the company's site and downloaded 20,000 users' records. The evidence was most likely obtained from hacks and spillages and then used as the source for credential stuffing attacks to glean information to create the bogus evidence. In October and November 2016, attackers gained access to a private

GitHub GitHub () is a Proprietary software, proprietary developer platform that allows developers to create, store, manage, and share their code. It uses Git to provide distributed version control and GitHub itself provides access control, bug trackin ...

repository used by

Uber Uber Technologies, Inc. is an American multinational transportation company that provides Ridesharing company, ride-hailing services, courier services, food delivery, and freight transport. It is headquartered in San Francisco, California, a ...

(Uber BV and Uber UK) developers, using employees' usernames and passwords that had been compromised in previous breaches. The hackers claimed to have hijacked 12 employees' user accounts using the credential-stuffing method, as email addresses and passwords had been reused on other platforms.

Multi-factor authentication Multi-factor authentication (MFA; two-factor authentication, or 2FA) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more distinct types of evidence ...

, though available, was not activated for the affected accounts. The hackers located credentials for the company's AWS datastore in the repository files, which they used to obtain access to the records of 32 million non-US users and 3.7 million non-US drivers, as well as other data contained in over 100 S3 buckets. The attackers alerted Uber, demanding payment of $100,000 to agree to delete the data. The company paid through a bug bounty program but did not disclose the incident to affected parties for more than a year. After the breach came to light, the company was fined £385,000 (reduced to £308,000) by the U.K.

Information Commissioner's Office The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Science, Innovation and Technology. It is the independent regu ...

. In 2019 Cybersecurity research firm Knight Lion Security claimed in a report that credential stuffing was favored attack method for GnosticPlayers.

Compromised credential checking

Compromised credential checking is a technique enabling users to be notified when passwords are breached by websites, web browsers or password extensions. In February 2018, British computer scientist Junade Ali created a communication protocol (using ''k''-anonymity and cryptographic hashing) to anonymously verify whether a password was leaked without fully disclosing the searched password. This protocol was implemented as a public API and is now consumed by multiple websites and services, including

s and

browser extension A browser extension is a software module for customizing a web browser. Browsers typically allow users to install a variety of extensions, including user interface modifications, cookie management, ad blocking, and the custom scripting and st ...

s. This approach was later replicated by

's Password Checkup feature. Ali worked with academics at

Cornell University Cornell University is a Private university, private Ivy League research university based in Ithaca, New York, United States. The university was co-founded by American philanthropist Ezra Cornell and historian and educator Andrew Dickson W ...

to develop new versions of the protocol known as Frequency Smoothing Bucketization (FSB) and Identifier-Based Bucketization (IDB). In March 2020, cryptographic padding was added to the protocol.

Compromised credential checking implementations

{, class="wikitable" , - ! Protocol ! Developers ! Made Public ! References , - ,

k-Anonymity ''k''-anonymity is a property possessed by certain anonymized data. The term ''k''-anonymity was first introduced by Pierangela Samarati and Latanya Sweeney in a paper published in 1998, although the concept dates to a 1986 paper by Tore Dalen ...

, Junade Ali (

Cloudflare Cloudflare, Inc., is an American company that provides content delivery network services, cybersecurity, DDoS mitigation, wide area network services, reverse proxies, Domain Name Service, ICANN-accredited domain registration, and other se ...

), Troy Hunt ( Have I Been Pwned?) , 21 February 2018 , , - , Frequency Smoothing Bucketization & Identifier Based Bucketization ,

(Lucy Li, Bijeeta Pal, Rahul Chatterjee, Thomas Ristenpart),

(Junade Ali, Nick Sullivan) , May 2019 , , - , Google Password Checkup (GPC) ,

Stanford University Leland Stanford Junior University, commonly referred to as Stanford University, is a Private university, private research university in Stanford, California, United States. It was founded in 1885 by railroad magnate Leland Stanford (the eighth ...

, August 2019 , , - , Active Credential Stuffing Detection ,

University of North Carolina at Chapel Hill The University of North Carolina at Chapel Hill (UNC, UNC–Chapel Hill, or simply Carolina) is a public university, public research university in Chapel Hill, North Carolina, United States. Chartered in 1789, the university first began enrolli ...

(Ke Coby Wang, Michael K. Reiter) , December 2019 , {{cite book , last1=Wang , first1=Ke Coby , last2=Reiter , first2=Michael K. , title=Detecting Stuffing of a User's Credentials at Her Own Accounts , date=2020 , pages=2201–2218 , arxiv=1912.11118 , isbn=9781939133175 , url=https://www.usenix.org/conference/usenixsecurity20/presentation/wang , language=en

References

External links

*
OWASP entry on Credential Stuffing
Password authentication