In a credential stuffing attack, cybercriminals take advantage of weak and reused passwords. Automated bots will take a list of username/password pairs that have been exposed in data breaches and try them on other online accounts. If the user has the same credentials on multiple sites, this provides the attacker with unauthorized access to a legitimate user account.
Credential stuffing attacks use large lists of username/password pairs that have been exposed. In some data breaches, improper credential storage results in the entire password database being leaked. In others, cybercriminals crack some users’ passwords via password guessing attacks. Credential stuffers can also gain access to usernames and passwords through phishing and similar attacks.
These lists of usernames and passwords are fed to a botnet, which uses them to try to log onto certain target sites. For example, the credentials breached by a travel website may be checked against a large banking institution. If any users reused the same credentials across both sites, then the attackers may be able to successfully log into their accounts.
After identifying valid username/password pairs, the cybercriminals may use them for a variety of different purposes, depending on the account in question. Some credentials may provide access to corporate environments and systems, while others may allow attackers to make purchases using the account owner’s bank account. A credential stuffing group may take advantage of this access themselves or sell it on to another party.
Brute force password attacks are a general term that covers a few different specific attack techniques. In general, a brute force attack means that the attacker is just trying different combinations for a password until something works.
The term brute force attack is most commonly used to refer to an attack where the attacker is trying every possible option for a password. For example, a brute force attack on an eight character password may try aaaaaaaa, aaaaaaab, aaaaaaac, etc. While this approach is guaranteed to find the correct password eventually, it is slow to the point of being infeasible for a strong password.
Credential stuffing takes a different approach to guessing a user’s password. Instead of looking at all possible password combinations, it focuses on those that are known to have been used by a person because they were exposed in a breach. This approach to password guessing is much faster than a brute force search but it assumes that passwords will be reused across multiple sites. However, since most people reuse the same password for multiple sites, this is a safe assumption to make.
Credential stuffing presents a serious risk to both personal and corporate security. A successful credential stuffing attack gives the attacker access to the user’s account, which may contain sensitive information or the ability to perform financial transactions or other privileged actions on the user’s behalf. However, despite the well-publicized threat of password reuse, most people are not changing their password behaviors.
Credential stuffing can also put the enterprise at risk if passwords are reused across personal and business accounts. Companies can take a few different steps to mitigate the risk of credential stuffing attacks, including:
Check Point’s Harmony Browse protect against credential stuffing in a couple of different ways, including:
To see Harmony Browse in action, check out this video.