Credential stuffing is generally a mass-scale attack using lists of stolen login credentials from one server to try and gain access to other accounts.
Almost all websites these days require traffic to generate revenue. Traffic can always be monitored more effectively if the business requires users to actually log in to the site versus just simply visiting it. As a result, even websites that offer free services will either request or require users to create an account and login to access information. Since there is no financial information being exchanged, it should come as no surprise that the login information these sites collect is often not guarded very securely. In addition, they are often stored in plain text rather than being encrypted.
Unfortunately, people are also creatures of habit. No matter how many times they are warned to create unique passwords for every site they log in to, they rarely do. In many cases, a user may use the same login ID and password for the library or their Netflix account as they do for their bank account. As a result, cybercriminals will often target sites that have high traffic and minimal security. By doing so, they can download potentially millions of login credentials, that are in many cases the same credentials that users use on paid sites that contain financial information.
Once a cybercriminal has an entire plain text list of login credentials, they can do one of two things with it: they can either sell the information on the darknet for other cybercriminals to use for credential stuffing or they can use them for their own credential stuffing operation.
How Does Credential Stuffing Work?
Once a cybercriminal has a plain text list of hundreds, thousands or even millions of login credentials, they can begin to test them on a number of other sites for a number of other purposes. In some cases, they may compare login credentials with lists of email addresses culled from the darknet that have the actual names of users associated with those addresses for any high profile or high net worth individuals. In other cases, they may use them on other paid sites to conduct account takeovers. For instance, they may try hundreds of different logins for Netflix accounts and then change the login information for any hits they get. Once they have changed the login information, they then essentially "own" the account, while the original owner is left paying for it. They can then turn around and sell the new login credentials on the newly assumed accounts for a flat fee.
Needless to say, no one is going to sit and try and manually log in with hundreds or even thousands of individual login credentials. That is where bots come in. Bots can be fed entire lists of login credentials, which they try one at a time at a rate of several logins per minute. When a set of credentials gives them access to the site, it sends a ping or notification to the cybercriminal. Internet security systems generally have protocols in place to recognize multiple logins coming from the same IP address, so cybercriminals will also use programs to spoof IP addresses so that the logins all appear to be coming from multiple locations.
How To Prevent Credential Stuffing
Successfully breaching an account through credential stuffing can be stopped in a number of different ways. Users themselves can stop credential stuffers in their tracks by simply using unique passwords for all of their different accounts. Businesses can help keep stolen credentials from being reused on other sites by encrypting passwords (and not storing the encryption key in the same location as the passwords) and/ or hashing or salting the passwords.
Perhaps the most effective means of preventing password stuffing, however, is enabling two-factor or multi-factor authentication. When all that is needed to gain access to an account is a simple login ID and password, it leaves accounts incredibly vulnerable, When users need to log in from a specific device that utilizes some type of biometric authentication scanning or provide a one-time password sent to an account that they control, it can effectively eliminate the effectiveness of credential stuffing altogether