Credential stuffing is a form of cyberattack where attackers use automated scripts to try a large number of username and password combinations (usually obtained from previous breaches) on multiple websites, hoping that individuals have reused their credentials. While this attack method is not sophisticated, its simplicity and effectiveness make it a go-to strategy for attackers.
Nowadays there are many sources of these leaked credentials, but Brackish generally uses Dehashed.
Recently there have been numerous public credential stuffing incidents, but the most famous one that just happened the other day is the 23andMe incident. Another infamous incident happened to Zoom users during the COVID-19 pandemic. Zoom experienced a credential stuffing attack that led to unauthorized access to numerous accounts. Given the sudden increase in Zoom’s user base, many were unfamiliar with best security practices, making them an easy target.
You’re likely familiar with MFA’s effectiveness against a range of attacks. Implementing MFA can add an extra layer of security, making it difficult for attackers to gain unauthorized access, even if they have the correct username and password.
Incorporating CAPTCHA can prevent bots from executing automated login requests. However, be aware that CAPTCHAs are not entirely foolproof; they can be bypassed using machine learning algorithms.
Continuous monitoring of credentials against known compromised databases can alert users in real-time if their credentials have been part of a breach. This is often done via integrating services like Have I Been Pwned‘s API.
Implement rate limiting on login and API endpoints. This can slow down or block automated attacks but will require a balance so as not to affect user experience.
Analyzing user behavior, such as mouse movements and keystrokes, can distinguish a human from a bot. However, this comes at the cost of increased complexity and potential false positives.
Machine learning algorithms can be trained to recognize normal user behavior, thereby flagging any anomalous activity, such as rapid, sequential login attempts from multiple IP addresses.
Routine log analysis can reveal suspicious activities such as multiple failed login attempts or login attempts from unusual geographic locations. SIEM solutions can help in automating this process.
Planting fake credentials (honeytokens) within your databases can act as bait. Any attempt to use these credentials can trigger immediate alerts.
Credential stuffing is a pervasive threat that exploits the common but risky practice of password reuse. While no strategy can offer 100% security, implementing a layered approach that combines preventive measures with real-time detection techniques can significantly mitigate the risk.
As always, reach out to us if you have any questions!