Sage Advice - Cybersecurity Blog

The Danger of Stolen Usernames and Passwords: Credential Stuffing

danger-of-stolen-passwordThe popular tax preparation software TurboTax recently announced that an unauthorized party had accessed an undisclosed number of its clients’ accounts. But it wasn’t because they had suffered a data breach. Instead they were victims of a credential stuffing attack – a cyberattack that continues to gain popularity. 

What is Credential Stuffing?

Credential stuffing is a pretty straightforward technique used by hackers. Armed with lists of stolen usernames and passwords, they try to “stuff” credentials into other online services. Because it’s common for people to reuse the same username / password combo, the attacker is often able to unlock and gain legitimate access to multiple accounts.

When an attacker gains access, they can exploit it by extracting personal data to sell on the dark web. They can also sell access to the actual account that has been hacked. For example, in the recent Dunkin’ Donuts credential stuffing attack, criminals could buy access to the hacked DD Perks reward accounts and use reward points to receive unearned discounts and free beverages.

Credential Stuffing on the Rise

In addition to the Dunkin’ Donuts and TurboTax incidents, there has been a rash of credential stuffing attacks in the past few months. According to ZD Net, ad blocker company AdGuard suffered one in September 2018; banking giant HSBC in November; and also Reddit, DailyMotion, Deliveroo, and Basecamp in January 2019.

In an article from CSO, Ari Weil, Akamai's Vice President of Product Marketing, states that many e-commerce providers are singularly focused on protecting financial information, like credit card numbers. This has left them open to “exploitation by cybercriminals that regularly use bots to pepper sites with stolen credentials until they are allowed onto the site – at which point goods are falsely ordered, or other personal information is harvested to fill out ever more-detailed personal profiles that can fuel identity theft or be sold online.” 

According to Ponemon Institute's The Cost of Credential Stuffing Report:

  • On average, companies experience 12.7 credential stuffing attacks each month, wherein the attacker is able to identify valid credentials
  • An average of 1,252 user accounts are typically targeted in each credential stuffing attack
  • Approximately 12.4 percent of credential stuffing attempts on average are successful in identifying valid user credentials

The report goes on to list the top negative consequences respondents suffered as a result of a credential stuffing attack. They include:

  • Application downtime from large spikes in login traffic
  • Costs to remediate compromised accounts, including call-center time or manual investigation / analysis by the security or fraud team
  • Lower customer satisfaction
  • Compromised accounts leading to fraud-related financial losses
  • Lost business due to customers switching to competitors
  • Damaged brand equity from news stories or social media

Stolen emails and passwords are extremely easy for attackers to purchase, and there are a lot out there to choose from. A massive repository of credentials – likely stolen from many different data breeches – was found on the dark web in early 2019. The 87 GB file, dubbed “Collection #1,” consisted of 773 million unique email addresses and their associated cracked, or dehashed, passwords. 

How to Protect Your Accounts from Being Compromised in a  Credential Stuffing Attack

The reason credential stuffing is so successful is because it’s easy and it works! This is mostly because people don’t follow best practices when it comes to their login credentials.  The 2019 State of Password and Authentication Security Behaviors Report, conducted by Ponemon Institute found:

  • 51 percent of respondents reuse passwords across business and personal accounts
  • 67 percent of respondents do not use any form of two-factor authentication in their personal life and 55 percent of respondents do not use it at work
  • 2 out of 3 (69%) respondents share passwords with colleagues to access accounts
  • 57 percent of respondents who have experienced a phishing attack have not changed their password behaviors

By following authentication best practices, you can greatly reduce your risk of being impacted by a credential stuffing attack.

1. Choose a strong password.

Passwords should be long, strong, and complex. For example, choose a passphrase of four unrelated words. Make it as long as possible – at least 15 characters – and use uppercase letters, lowercase letters, numbers, and special characters. You should avoid ambiguous characters (e.g., Pa$$word), as well as names, patterns, and sequences.

2. Don’t use the same passwords at multiple sites where protected and / or sensitive information is exchanged.

We understand it can be difficult to manage multiple passwords, but it’s necessary! Consider using a password manager tool to securely generate, encrypt, and store your passwords.

3. Always turn on two-factor authentication.

Two-factor authentication can provide you with an extra layer of security because it requires at least two things to access an account – something you know (a password), something you have (an authentication code generated by an authenticator app on your phone or a One-Time-PIN texted to your phone), and /or something you are (a fingerprint). Always use two-factor authentication when available.

You can check out to find out which of your accounts offer it.

4. Change your passwords regularly.

If you have not changed your passwords recently, don’t wait! Even if your credentials have already been compromised, you can stop a credential stuffing attack in its tracks just by changing your passwords. Criminals are opportunistic. Don’t make it easy for them to break into your account!

One in five data thefts today involve some form of credential theft, according to the recently released "Cybersecurity Threatscape" report from Positive Technologies. It’s incumbent upon us all to take the necessary steps to protect our personal information. 


Topics: Cyber Defense, Privacy, Cybersecurity Awareness

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More