The anatomy of a credential stuffing attack: Insights and countermeasures

Imagine your organization’s most valuable assets are just a few keystrokes away from falling into the wrong hands. This is the reality of credential stuffing attacks, a growing threat that silently infiltrates systems and leaves a trail of destruction in its wake.

These attacks have become a pervasive issue, targeting not just user accounts but also the secrets and other non-human identities that hold the keys to the kingdom. According to Okta’s State of Security Incident Report 2024, credential stuffing attacks accounted for 24.3% of all login attempts. So, let’s understand what is credential stuffing all about.

What is credential stuffing?

Picture this: cybercriminals armed with millions of stolen username and password combinations, ready to unleash their attack on unsuspecting websites and applications. This is the reality of credential stuffing, a type of brute-force attack that has become a major headache for organizations worldwide. 

So, how do these attackers get their hands on all these credentials? Well, they scour data breaches, phishing scams, and dark web marketplaces for credential pairs. With that settled, the attackers then employ an army of botnets or custom-built scripts to automatically test these credentials across multiple platforms exploiting the fact that many users reuse the same passwords across different services.

The scary part? Credential stuffing attacks can slip past your typical security measures like firewalls and intrusion detection systems like the attacker is waltzing through the front door with a valid key.

Now, you might be thinking, “Isn’t this the same as password spraying?” Close, but not quite. When it comes to credential stuffing vs password spraying, there’s a subtle but important difference. Password spraying involves using a single, common password against multiple usernames, while credential stuffing is more targeted, using unique username-password or credential pairs.

Credential stuffing attacks that made the news

Credential stuffing attacks have become increasingly prevalent in recent years, affecting organizations across industries. Let’s take a closer look at some of the most significant attacks that have made headlines in the past few years.

Norton LifeLock

In January 2023, Norton, a well-known cybersecurity company, fell victim to a credential stuffing attack targeting its password manager service. The company revealed that the attackers had used a combination of around 925,000 active and inactive credential pairs and had successfully compromised approximately 6,450 customer accounts, representing about 0.7% of the targeted accounts. 

23andMe

In December 2023, 23andMe, a popular genetic testing and genealogy service, confirmed that a credential stuffing attack had compromised the data of 6.9 million users. The attackers gained access to approximately 14,000 user accounts (0.1% of total users) by using credentials obtained from other security breaches, likely due to password reuse. The leaked data included users’ full names, usernames, profile photos, dates of birth, sex, genetic ancestry details, and location.

PayPal

PayPal reported that a credential stuffing attack in December 2022 impacted approximately 35,000 user accounts. While the global online payment giant stated that no unauthorized transactions were detected, the attackers may have accessed sensitive data, including Social Security numbers and dates of birth. 

Credential stuffing with non-human identities

To make matters worse, these credential stuffing attacks target more than just individual user accounts and they rarely make the news. Many organizations may not even realize they have been attacked. Turns out, cybercriminals are also after non-human identities, like API keys and service accounts used for machine-to-machine communication, automation, and integration between different systems and services.

Attackers understand that compromising these non-human identities can be incredibly lucrative. Non-human identities typically have elevated privileges and can grant access to sensitive data and critical functionality within an application or system. By using stolen credentials, attackers can bypass normal authentication and authorization mechanisms, allowing them to perform actions as if they were legitimate users or services.

Considering API security risks, for example, if an attacker successfully compromises an API key for a cloud storage service, they could potentially read, modify, or delete sensitive data stored in the cloud. Similarly, if a service account credential for a continuous integration and deployment (CI/CD) pipeline is stolen, the attacker could inject malicious code into the application during the build process, compromising the entire software supply chain.

The risks associated with credential stuffing attacks targeting non-human identities are further compounded by the fact that these credentials are often hardcoded, shared among team members, and not rotated frequently enough. Attackers can exploit these weaknesses to maintain persistent access to compromised systems and move laterally within an organization’s network.

Impact on organizations

The impact of credential stuffing attacks on organizations can be severe and far-reaching. Beyond the immediate financial losses associated with fraud and unauthorized transactions, these attacks can lead to significant reputational damage and a loss of customer trust. In the aftermath of a breach, companies often face costly remediation efforts, including incident response, customer notification, and legal expenses.

Furthermore, credential stuffing attacks can lead to regulatory investigations and substantial fines for companies. With the increasing focus on data privacy and security, companies that fail to protect customer information may face penalties under regulations such as the GDPR or the CCPA.

So, how to prevent credential stuffing attacks? To mitigate the vulnerabilities associated with credential stuffing, organizations must prioritize the security of both human and non-human identities. This includes conducting regular vulnerability scans and risk assessments to identify weaknesses and applying security patches and updates promptly. More about this in the next section.

Preventive measures against credential stuffing attacks

Preventing credential stuffing attacks effectively is a multi-layered process that includes both proactive security controls and proactive handling of challenges in secrets management practices. Keep the following best practices in mind to defend yourself in a time of need.

Deploy bot detection and management

• Utilize advanced bot detection solutions to distinguish between legitimate user traffic and automated credential stuffing attempts
• Analyze behavioral patterns, device fingerprints, and IP reputation scores to identify and block suspected bot traffic in real-time

Prioritize secrets management

• Rely on secrets management solutions to store secrets in vaults, manage them, and monitor privileged credentials used by non-human identities 
• Leverage secrets detection to discover and inventory all secrets, including those hardcoded in source code or configuration files
• Enforce the least privilege access controls for vault access

Secure secret creation and rotation

• Automatically generate complex secrets rather than relying on human-generated credentials
• Leverage context-based secrets rotation that can be time- or event-driven, to reduce the timeframe in which attackers can abuse compromised credentials
• Integrate secrets management solutions with DevOps tools and processes (e.g., CI/CD pipelines, IaC) to identify and resolve hardcoded secrets and ensure secure secrets usage across dynamic environments

Monitor and alert on anomalies

• Look out for anomalous behavior, such as excessive failed login attempts or unusual secrets access patterns
• Promptly investigate and remediate any suspected incidents
• Regularly assess and update preventive measures to ensure they remain effective against the latest attack tactics and techniques

For more details and alternative insights, you can refer to the OWASP credential stuffing prevention cheat sheet.

Parting thoughts

All in all, by adopting a defense-in-depth approach that combines both preventive controls and secrets management best practices, organizations can significantly reduce the risk of falling victim to credential stuffing attacks. But if it still sounds like a bit much, Entro can share some of the burden.

Imagine having a secret weapon that empowers you to effortlessly discover, secure, and manage all your secrets and non-human identities across your entire environment. That’s exactly what Entro brings to the table. With Entro, you can say goodbye to secrets-related risks and hello to a streamlined, secure, and compliant future.

Entro acts as your single source of truth, providing a comprehensive view of all your secrets and non-human identities, no matter where they reside. Click here to learn more and experience the power of effortless secrets management firsthand. Trust us, your secrets (and your sanity) will thank you.