Credential Stuffing: Why Businesses Must Act in 2022

The New York Attorney General Letitia James kicked off the year with a wake-up call for local businesses. Her office contacted 17 well-known brands to inform them that over a million customers had been compromised by credential stuffing attacks. Most were unaware they’d even been hit.  

Among the long list of cyber threats to organizations, only a few have the ability to grab the attention of business leaders. The financial and reputational impacts of ransomware, phishing, data breaches and DDoS are well publicized and broadly understood. Credential stuffing, less so. It’s often positioned as a problem associated with customers rather than corporate cybersecurity. That’s a mistake. 

Credential stuffing is a type of "brute force" password attack, made possible because many of us reuse the same credentials across multiple accounts.

Anything which could lead to customer data loss and fraud is ultimately a problem which needs to be addressed by security teams. And there’s plenty that organizations can do to mitigate the impact of credential stuffing. 

What is credential stuffing and why is it dangerous?

Let’s go back to basics. Credential stuffing is a type of “brute force” password attack, made possible because many of us reuse the same credentials across multiple accounts. Threat actors take advantage of large troves of breached username/password combinations available on cybercrime sites. They feed them into automated software which then tries these combos across numerous sites and accounts across the internet, hoping to find a match. Because of the large numbers involved—sometimes hundreds of millions of credentials—they only need to get lucky a relatively small number of times to generate acceptable ROI. Which they do.

Threat actors take advantage of large troves of breached username/password combinations available on cybercrime sites.

The attacks that unlocked 1.1 million customer accounts impacting businesses in New York State are just the tip of the iceberg. There were an estimated 193 billion such attempts globally in 2020, according to one report. A large majority of these target the retail sector. One Akamai study from 2020 found that:

• Over 60% of credential stuffing attacks detected over the previous two years were aimed at retail, travel and hospitality businesses.
• This translated into 64 billion customer accounts.
• Over 90% of these attacks were aimed at the retail sector.

What’s the impact on customers and businesses?

Once attackers are able to access a user account, there are several potential outcomes, although these may vary depending on what type of account it is. They could:

• Extract personal information to help craft more convincing phishing emails designed to steal financial info.
• Sell this personal information, or account access, on the dark web.
• Use stored cards (payment cards or retail gift cards) to make fraudulent purchases.

One study estimated that credential stuffing costs organizations each an average of $4M per year.

Media statements from companies impacted by credential stuffing are often at pains to point out that their internal systems were not affected, and that poor password management on the part of customers is ultimately to blame. That may be, but there is also a significant corporate financial and reputational cost to this.

One study from 2019 estimated that credential stuffing costs organizations each an average of $4m per year. This includes:

• Application downtime ($1.2m).
• Loss of customers following an incident ($1.6m).
• IT overtime to clean-up incidents and reset passwords ($1.2m). 
• Follow-on fraud.

How can businesses tackle credential stuffing?

Doing nothing is therefore not an option. So how can IT teams mitigate the risk of credential stuffing? The New York Attorney General’s Office (OAG) has produced a useful report here. It recommends action in four areas. First, try to defend against attacks if possible. Then, if any sneak through, organizations must have effective ways to quickly detect a credential stuffing breach and respond to the incident. This includes preventing any stolen customer information being used for follow-on fraud.

Credential stuffing will be with us for as long as passwords are the preferred method of authentication for users.

Let’s take each in turn:

1. Defend against attacks using: 

• Bot detection to spot the automated scripts used by threat actors.
• Multi-factor authentication (MFA) on accounts to mitigate password risk.
• Passwordless authentication like face or fingerprint scanners.

2. Detect attacks by monitoring customer traffic for things like soaring volumes of failed login attempts.

3. Respond quickly to incidents by ensuring you have a well-tested incident response plan that includes what to do in the event of a credential stuffing breach. Typical processes should include:

• Determining whether customer accounts were compromised, and which ones.
• Remediating by resetting passwords to kick the threat actors out.
• Notification to customers affected by any incident.

4. Prevent follow-on fraud by blocking the use of stored payment cards by unauthorized third parties. Do this by re-authenticating users at the time of purchase—perhaps by asking them to re-enter their CVS security code.

• The OAG has this final warning: “It is critically important that re-authentication be required for every method of payment that a business accepts. The OAG encountered many cases in which attackers were able to exploit gaps in fraud protection by making a purchase using a payment method that did not require re-authentication.”

The bottom line is that credential stuffing will be with us for as long as passwords are the preferred method of authentication for users. Encouraging customers to use MFA and password managers, and follow other best practices, is one thing. But more proactivity is needed to protect corporate reputation and the bottom line. 

Breaches may ultimately come down to poor password management on the part of customers. But it’s the brand that will get the blame if accounts are compromised.