Credential Stuffing

What is Credential stuffing?

Credential stuffing occurs when cybercriminals take login details leaked from one data breach and try them across a smorgasbord of other platforms. Services, apps, and APIs—a.k.a. Non-human identities—can also fall prey to this attack. If an app doesn’t rotate its secrets or uses weak access tokens, attackers can walk right in.

Find more about how credential stuffing works and how to protect your company from it.

Who’s on the hit list?

Credential stuffing is an equal-opportunity menace. Anyone or anything that uses secrets to authenticate can be a target. In January 2023, Norton’s password manager service suffered a credential stuffing attack. Attackers used 925,000 active and inactive credential pairs, compromising around 6,450 customer accounts (0.7% of targeted accounts).

Here’s a short (but far from exhaustive) list:

• Cloud services: That sweet access to APIs and cloud environments makes them prime targets.
• Applications: Reused secrets among apps? That’s a jackpot for attackers.
• APIs and microservices: Forgetting to rotate those API keys? You’re basically handing out party invitations to attackers.

How a credential stuffing attack works

A credential stuffing attack can still happen with non-human identities, like API keys or service accounts. The process is similar to how it works with regular user accounts. Still, instead of human login details, it involves automated systems trying to gain unauthorized access to other machines or services.

Here’s how it works:

1. Data leak: The attacker obtains a large set of API keys, service account tokens, or other authentication credentials from a breach or leak. These could come from previous security incidents in which non-human access credentials were exposed.
2. Automated bots: The attacker uses automated tools or bots to try these credentials across different services or systems. These bots can test many combinations rapidly, looking for any valid access keys that might let them into services like cloud platforms, databases, or internal systems.
3. Targeting multiple systems: Since non-human identities (like API keys) are often reused across different environments, the attacker tries them on as many services as possible. The attacker gains access if the credential works on any of those platforms.
4. Login attempts: The bot sends these credentials to various APIs or systems. If the credentials are valid for any service, the attacker can gain control over that system or access its resources.

How secrets management can protect NHIs 

Secrets management protects non-human identities (NHIs), like API keys and service account tokens, from credential stuffing attacks. These attacks target NHIs because they can provide access to important systems and services.

Here’s how secrets management can help:

1. Access control: Secrets management enforces strict access rules, ensuring only authorized systems or users can access certain NHIs. 
2. Least privilege access: Provides only the minimum permissions needed to function. This limits the damage attackers can do if they use a compromised credential.
3. Discovery matters: You can’t secure what you can’t find. An effective NHI management system scans your environment to find all access tokens, encryption keys, and API keys.
4. Metadata enrichment: Knowing a secret’s context—such as age, permissions, and usage patterns—lets you make smarter security decisions.

Keeping secrets safe with Entro

With attacks like credential stuffing targeting API keys, service accounts, and other machine identities, it’s essential to have a strong solution to protect these valuable assets.

Entro makes managing and securing your NHIs simple. With features like secure storage, automatic key rotation, and tight access controls, Entro ensures your NHIs stay protected from unauthorized access. It helps you discover, monitor, and manage all your non-human identities, reducing risk and keeping your systems secure.