Credential stuffing attacks on the rise: everything you need to know

One malicious tactic that continues to haunt organisations and target employees is the credential stuffing attack. As SRIs (Senior Responsible Individual), DPOs and CISOs, it is crucial to educate and empower your employees to recognise and respond effectively to these threats.

The 2023 Verizon Data Breach Investigations Report (DBIR) states that 83% of breaches were perpetrated by external actors. And of these breaches, 49% involved the use of stolen credentials. In fact, a Digital Shadows report states that there are more than 15 billion stolen credentials circulating on the internet.

In this comprehensive guide, we will delve into the intricacies of credential stuffing attacks, their potential impact, and actionable steps to bolster your defence.

What are credential stuffing attacks?

Credential stuffing is a type of cyber-attack where attackers exploit the tendency of users and employees to reuse the same usernames and passwords across multiple online services. Hackers acquire lists of compromised credentials from previous data breaches or the dark web and then automate the process of trying these credentials across various websites and applications. Dark web markets like the Genesis Market have been shown to be selling digital fingerprints that include compromised usernames, passwords and even fingerprints.

The goal is to gain unauthorised access to user accounts, leading to data breaches, identity theft, and financial losses.

Okta’s 2022 State of Secure Identity Report reveals that credential stuffing attacks boomed in 2022; the identity and access management firm recorded over 10 billion credential stuffing events on its platform in the first 90 days of 2022. This is roughly 34% of the overall authentication traffic, meaning that one-third of all attempts are malicious and fraudulent.

Who is targeted by credential stuffing attacks?

When examined from a geographical perspective, the worst cases are Southeast Asia and the United States, where credential stuffing traffic consistently dwarfed normal login attempts. All industries are targeted by credential stuffing attacks, but some are more susceptible. The most targeted industries are:

• Retail
• Healthcare
• Entertainment
• eCommerce
• Education
• Energy
• Financial services
• Software
• SaaS (Security as a Service)

The financial sector is particularly targeted when it comes to credential stuffing attacks. In 2020, even the FBI issued a warning to financial organisations after seeing a spike in credential stuffing attacks against them; with 41% of all financial sector attacks between 2017 and 2020 due to credential stuffing attacks. According to Security Intelligence, in 2020 alone, the financial services sector suffered $3.4 billion in losses due to such attacks.

However, if you operate in another industry, do not get complacent. The Security and Exchange Commission (SEC) states that overall credential stuffing attacks are on the rise and blame large credential lists like the Pemiblanc list which contains more than 111 million records and available on most hacker forums.

Examples of credential stuffing attacks

• Norton, January 2023: A recent but impactful credential stuffing attack involved Norton Lifelock Password Manager. Despite being a big name in the cyber security space, at the start of 2023, Norton was hit but a brute force credential stuffing attack that saw threat actors using stolen credentials to log into customer accounts and access their data. Over 925,000 people were targeted. In the end, Norton had to notify over 6,500 customers that their data had been compromised.
• Zoom, April 2020: After threat actors attempted to login into Zoom using accounts leaked in older data breaches, they compiled a list of credentials that worked. In the end, over 500,000 Zoom accounts were compromised and were then sold on the dark web and hacker forums for as little as a penny each and, in some cases, were actually being given away for free. The threat actors that bought these credentials then used them for Zoom-bombing pranks (gate crashing Zoom calls) and other malicious identity theft attacks.
• Nintendo, April 2020: The Japanese gaming and entertainment giant Nintendo announced that 160,000 accounts had been attacks via a credential stuffing attack. Threat actors used exposed user IDs and passwords they obtained through nefarious means to gain access to user accounts. Once in, they purchased digital items using stored cards and obtained sensitive data including names, email addresses, date of births, genders and more.
• Dunkin’ Donuts, February 2019: After an initial credential stuffing attack in November 2018, Dunkin’ Donuts was hit by a second, larger, credential stuffing attack in early 2019. Hackers used user credentials leakers on other sites to gain access to the Dunkin’ Donuts perks and rewards account system, which allows customers to earn points and get free beverages or discounts. Through this, they gained data packets including usernames, addresses, Dunkin’ Donuts account number and more. Hackers then sold this data on dark web forums.

The anatomy of a credential stuffing attack

Credential stuffing attacks are a form of digital invasion with hackers attempting thousands of logins in seconds. There are four steps to every credential stuffing attack:

1. Acquisition of compromised credentials: Threat actors obtain lists of usernames and passwords from previous data breaches or through underground markets. Often hackers find these lists on dark web forums or as a by-product of a previous cyber-attack. www.HaveIBeenPwned.com has tracked over 8.5 billion compromised credentials from over 400 data breaches.
2. Automation: Using specialised software, attackers automate the process of trying these credentials on various websites and login portals. This automation allows for thousands of login attempts in a matter of seconds, almost like an overwhelming brute force attack.
3. Account takeover: If a matched username and password combination is found, the attacker gains unauthorised access to the victim's account. After this, they can potentially sign out the true user from all devices and take complete control of the account.
4. Exploitation: Once the account has been taken over, hackers will exploit the compromised account for various purposes, including unauthorised transactions, identity theft, data theft, and spreading malware.

The Impact of credential stuffing attacks

The Ponemon Institute’s Cost of Credential Stuffing report found that businesses lose an average of $6 million per year to credential stuffing due to reasons such as application downtime, lost customers, increased IT costs and more. Credential stuffing attacks can have severe consequences for both individuals and organisations:

• Data breaches: Successful attacks lead to unauthorised access to sensitive information, compromising user and company data and potentially violating data protection regulations. According to IBM, the average cost of a data breach in 2022 was $4.35 million.
• Compromised accounts: If a threat actor gains access to an authorised account with considerable influence, they will not only install spyware but also impersonate said account to send further span and launch even more devastating phishing attacks against more targets.
• Financial losses: Hackers may exploit compromised accounts for fraudulent transactions, leading to financial losses for both users and organisations. Furthermore, depending on the permissions present on the compromised account, the ramifications could also fall at the feet of third-party collaborators and even clients and customers. The Hacker News states that the median cost of a business email compromise attack rose to $50,000 in 2023 making credential stuffing attacks a very lucrative option for threat actors; the ‘return on investment’ for hackers here is massive.
• Reputation damage: A data breach resulting from credential stuffing can tarnish an organisation's reputation, eroding trust among customers and stakeholders.
• Business disruption: Once an account has been taken over, the threat actor could block out employees from vital applications and networks and disrupt short-term and long-term business activities such as email communication, banking, and operating procedures.
• Pricey ransoms: If threat actors use credential stuffing attacks to target critical infrastructure organisations, they could hold the system back for ransom. And, as we see an increase in state-sponsored attacks on vital governmental organisations, the possibility of this type of attack taking place increases.
• Legal and regulatory consequences: Organisations may face legal and regulatory consequences for failing to protect user data adequately. Organisations operating in the EU are beholden to GDPR (General Data Protection Regulation) protocols and UK organisations also have new Data Protection regulations they must meet. Credential stuffing attacks can trip organisations into a regulatory nightmare and can lead to significant financial penalties; they must be taken seriously.

Empowering your workforce with behavioural insights

As behavioural specialists supporting organisations in this space for over 20 years, we know leveraging behavioural insights can significantly enhance your efforts to educate employees about credential stuffing attacks. But what does that look like?

• The Protection Motivation Theory suggests that individuals are more likely to engage in protective behaviours if they perceive the threat as severe and themselves as vulnerable. Educate your employees about the potential consequences of credential stuffing attacks to increase their motivation to adopt secure practices. But … do not fall into the mistake of positioning all your employees with the same training and awareness materials. To take true advantage of this behavioural model, your training needs to be either role-based so the employee can see a direct causal link between their role and the cyber threat or bespoke so that it has been designed to target specific unsafe behaviours you have spotted in your organisation.
• The Social Influence Theory asserts that people conform to social norms and behaviours exhibited by their peers. Employees are more likely to comply with security measures when they see others doing the same. For example, highlighting stories of individuals who fell victim to credential stuffing attacks and emphasising security-conscious behaviours can establish positive social norms within your organisation. You can maximise the potential of this behavioural theory by combining it with security champions and leadership buy-in; your employees will be even more likely to adopt new behaviours and act accordingly if they see senior members or respected members of their team practicing said behaviours. Often the tools we need to spread the behaviours we want are already in our workforce, we just need to take advantage of them.
• The Operant Conditioning Theory states that behaviour is influenced by its consequences. Implement a reward system for employees who consistently practice good security habits and a knowledge refreshment protocol for employees that are seen to make mistakes in cyber security or are repeat offenders. Recognition reinforces good habits and constructive criticism stamps out bad habits. Publicly acknowledging your employees’ efforts can create a sense of achievement and motivate others to follow suit. Consider employing a cyber security champion programme which will not only foster a competitive approach that builds towards strength in numbers but also pulls those lagging up to a consistent baseline of behaviours through sheer influence.

How to safeguard against credential stuffing attacks

As credential stuffing attacks increase 45% year-on-year, according to Security Intelligence, organisations and their security teams must take the threat seriously or risk increasing the threat level for their employees.

1. Password security: Educate employees about the importance of using complex, unique passwords for each online account. Encourage the use of password managers to facilitate secure password management. Both these points sound simple, but you would be surprised how many employees still use not only the same password across multiple business accounts but also how common said passwords are. A Google survey reveals that 65% of people still rely on the same password for multiple accounts, meaning the chance of cracking multiple accounts via one vulnerability is increased. Furthermore, Imperva data shows that about 0.1% of breached credentials attempted on another service will result in a successful login. Make users consistently refresh passwords by setting a maximum password age and complexity requirements.
2. Multi-factor authentication (MFA): An added extra layer of security is only going to come with benefits. MFA adds an additional layer of protection by requiring users to provide multiple forms of verification before accessing an account. Encourage employees to enable MFA for all accounts that support it. This will safeguard against employees that have had their credentials compromised but are still in possession of their main authenticating device. In fact, Microsoft states that your account is actually more than 99.9% less likely to be compromised if you implement MFA.
3. Regular security training and awareness materials: Knowledge is power. Offer regular security training sessions to keep employees informed about the latest threats and best practices regarding credential stuffing attacks, password security, MFA, identity management and digital footprint security. Utilise interactive methods, such as simulated exercises, gamified learning and pop-up physical awareness materials in an office setting to enhance engagement, knowledge refreshment and retention.
4. An awareness partner: Cyber threats and risks will not stop evolving. Unfortunately, depending on the size of your organisation, its’ priorities and budget, it may not necessarily be possible to run a comprehensive awareness campaign all on your own. It is, therefore, beneficial to work with a tried and tested cyber security training and awareness partner who is versed in operating as an extension of internal security teams. For example, when you work with TSC, we have project managers, behavioural specialists and eLearning developers who are constantly assessing the threat landscape, targeting risks, and emerging threats with new, engaging eLearning courses and materials. You must stay one step ahead or threat actors will position themselves, wait and pounce when you are most vulnerable.
5. Hone your incident reporting protocols: Establish clear reporting channels for employees to promptly report suspicious activities or potential security breaches. Encourage a culture of reporting without fear of repercussions. Many cyber breaches occur when employees do not know how to report incidents or are unsure of how to report incidents. You must make this a frictionless mechanism; to do this the security team must collaborate with all departments and have an open communication channel with your whole organisation.

Conclusion

Okta’s 2022 State of Secure Identity report states they detected almost 300 million credential stuffing attempts per day in 2022.

Credential stuffing attacks pose a significant threat to organisations and individuals alike. As DPOs, CISOs, SRIs, and security decision makers, your role in educating and empowering your employees is paramount. By leveraging behavioural insights and implementing strong security practices, you can build a robust defence against these malicious attacks. Remember, a well-informed and security-conscious workforce is your first line of defence in the ongoing battle against cyber threats.

If you would like information about how The Security Company can help you to formulate a cyber security training and awareness program for your organisation and how we help educate employees on credential stuffing, data protection and GDPR ... please contact our Head of Business Development and Sales,  Jenny Mandley.

The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.