What Is Credential Stuffing and How Do You Prevent It?
In their effort to protect their customers from a range of modern threats, managed services providers (MSPs) may encounter a strategy known as credential stuffing. This hacking technique involves rapidly inserting large numbers of usernames and passwords—often collected from corporate data breaches—into the login fields of other sites and digital services.
While the success rates for credential stuffing may seem low on paper—RSA reports they average between 0.5 and 3%—it requires that hackers have access to massive volumes of credentials, which may include credit card numbers, data that could be exploited as part of a phishing scheme, and other forms of profitable data. Even if only a few credentials provide access to other accounts, the effort is often worthwhile for hackers. According to the FBI, credential stuffing has even been responsible for a large number of recent hacks carried out against banks and other financial institutions.
Credential stuffing has been used successfully by hackers throughout the past decade, as massive data breaches from popular sites like Dropbox, LinkedIn, MySpace, and others have provided hackers with millions of username and password combinations. The increased success of these hacking campaigns in recent years is due in large part to what are known as Collections 1-5, which are massive troves of login credentials aggregated from multiple data breaches and thousands of sources. These are available in plaintext via torrent and are used by enterprising hackers to push their way into vulnerable accounts. Collection 1 alone contains 772.9 million unique email addresses and 21.2 million unique passwords.
The findings of a recent study demonstrate why credential stuffing is so effective: 53% of the population uses the same password for multiple accounts. Almost two-thirds of that 53% use the same password for 3 to 7 accounts, and 10% use it for 10 or more accounts. To top it all off, a disappointing 44% of survey respondents admit to using their personal passwords for their work-related accounts. This password re-use (especially across corporate and personal accounts) presents a huge security risk for MSPs and their customers.
The role of automation in credential stuffing attacks
Manually entering millions of username and password combinations is both time-consuming and error-prone, which is why hackers leverage the advantages of automation to make credential stuffing effective.
One potential hurdle for attacks is that the vast majority of web services and applications include baked-in rate-limiting protections and deliberate time delays, and they will often ban IP addresses after a certain number of failed login attempts. These security measures help prevent credential stuffing campaigns from making an anomalously high number of login attempts from specific devices.
However, advances in credential stuffing software may allow hackers to sidestep these security features. For example, botnets and proxy lists are often used to mask the attack. These bounce login requests across web servers, making it seem as though the hacking attempts are actually coming from multiple distinct IP addresses and devices—allowing hackers to slip through undetected. Botnets and proxy lists are also capable of tricking sites and web applications into registering the login requests as originating from different browsers rather than a single browser type, which many web services would flag as suspicious otherwise.
The goal of these tools is to mimic and blend in with a site’s usual login traffic—and they’re highly effective. Adopting security safeguards like multifactor authentication can help combat some of these issues, but advances in surveillance technologies have highlighted how singular countermeasures often fall short on their own.
How MSPs Can Help to Prevent Credential Stuffing
The best and simplest way to protect against credential stuffing attacks is to ensure that each end user has a unique password for each of their accounts. However, this approach can be difficult to fully implement and enforce without a network password manager or credential management system that requires end users to create unique passwords. This is where MSPs can play a significant role in establishing and maintaining password security best practices for their customers.
Password managers not only allow end users to easily create unique passwords for their accounts, they act as secure password repositories—meaning passwords can be incredibly complex because users don’t actually have to commit them to memory. Many password managers also include functionality to help users routinely update passwords to prevent them from going stale, and some will even alert users if any of their credentials appear in new public data dumps and automatically trigger password resets.
Additionally, built-in multifactor authentication adds another layer of security in the event that hackers do acquire passwords. While multi-factor authentication on its own is insufficient protection, it is a critical part of hardening the security of password managers. If a credential stuffing attack lands a successful result, an additional form of identity validation through a token or SMS can help prevent unauthorized access.
The combination of a password management system with multi-factor authentication should prevent the vast majority of credential stuffing attacks from being successful. Still, on the off chance an attack does land, or if a customer has been the victim of fraudulent activity in the past, there are a couple of additional strategies that can help prevent a future breach. MSPs can help customer companies adopt a number of new methods to help shore up their security countermeasures—without interfering with or denying access to legitimate site activity.
One such technique is to identify which credentials have resulted in fraudulent activity, and blocklist the IP address connected with the login request. If this practice is maintained over time, it can wear down the efficacy of botnet- and proxy list-based attacks. Likewise, if your customers’ users or clients are in specific geographic localities, setting up geofences can help to block traffic from proxy servers outside the usual regions. While these strategies will not necessarily block credential stuffing attempts, they will make such attacks more difficult and expensive to carry out, thereby helping to keep your customers’ services and computing environments free of fraudulent activity and potential data breaches.
Keeping your customers protected
Credential stuffing is incredibly difficult to stop and isn’t likely to go away anytime soon. MSPs need to provide customers with a multi-faceted approach to maintaining password integrity.
A powerful credential system like N-able™ Passportal™ provides your customers with industry standard encryption, intuitive password generation and storage, and even offers end users a seamless way to manage both their private and professional passwords from the same console. Passportal helps create strong and unique passwords, while also making it simple to audit end user compliance and track specific credentials.
Furthermore, while most credential stuffing attempts use credentials culled from large corporate data breaches, they are also increasingly being used in tandem with spear phishing attacks , which some reports show are responsible for more than 90% of successful cybercrimes. Providing customers with cybersecurity awareness training and robust email filtering solutions are therefore also key to maximizing security. Utilizing an encrypted documentation and credential management tool like N-able Passportal—along with a number of other tools in an integrated ecosystem—will help MSPs prevent credential stuffing and other forms of password-oriented cyberattacks.