Credential Stuffing: the Culprit of Recent Attacks

A year ago, researchers found that 2.2 billion leaked records, known as Collection 1-5, were being passed around by hackers. This ‘mega leak’ included 1.2 billion unique email addresses and password combinations, 773 million unique email addresses and 21 million plaintext passwords. With this treasure trove, hackers can simply test email and password combinations on different sites, hoping that a user has reused one. This popular technique is known as credential stuffing and is the culprit of many recent data breaches.

With only a few months left in 2020, let’s reflect on the major data breaches that have occurred so far and brace ourselves for what is to come:

Marriott International Data Breach – Take Two

Marriott International experienced another mega breach when it was still recovering from the 2018 data breach that exposed approximately 339 million customer records. In January, a hacker used credentials of two employees at a Marriott property to collect data for a month before being discovered. The breach exposed personally identifiable information of 5.2 million customers, including contact information, personal details like gender and birthday, and loyalty account information. It was unclear how the hacker obtained those credentials, but it was speculated that credential stuffing and phishing were both likely.

Zoom: A New Favorite for Hackers

Due to the remote working mandate in many parts of the world, the video conferencing app has been growing in popularity – not only amongst end-users but also cyber-criminals. In early April, Zoom fell victim to a credential stuffing attack, which resulted in 500,000 of Zoom’s usernames and passwords being exposed on the Dark Web. Cyber-criminals used compromised credentials from past breaches and compiled successful logins into lists to be sold online.

GoDaddy: Largest Domain Registrar

In late April, the world’s largest domain registrar confirmed that credentials of 28,000 of its customer web hosting accounts were compromised in a security incident back in October 2019. GoDaddy’s breach notification email didn’t point to the reason behind this incident but the suspicion was that the hackers either exploited a known vulnerability that was coincidentally fixed on October 9 2019 or accessed privileged accounts using credentials obtained on the Dark Web or through social engineering.

Nintendo: Even More than Initially Thought

In March, users reported unauthorized logins to their accounts and charges for digital items without their permission. Nintendo announced the breach in April, but it doubled the number of affected accounts in an update in June. Approximately 300,000 accounts were affected by the breach, resulting in the compromise of personal identifiable information such as email address, date of birth, country and gender.

Nintendo did not reveal how the accounts were breached but from its statement it seemed that login ID and passwords were “obtained illegally from other than our service by some other means.” This suggests that the methods employed to gain unauthorized access could be credential stuffing, phishing or brute-force attacks.

Do You See a Trend Here?

It has become evident that many of the recent data breaches were the result of credential stuffing attacks leveraging compromised passwords or passphrases. Credential stuffing attacks are automated hacks where stolen usernames and password combinations are thrown at the login process of various websites in an effort to break in. With billions of compromised credentials already circulating the Dark Web, credential stuffing attacks can be carried out with relative ease and with a 1-3% success rate.

When the account of an employee is compromised, hackers can gain access to sensitive data that organization has collected, and sell it on the Dark Web. The stolen data, often including login credentials, can then be used to infiltrate other organizations’ systems which creates a never-ending cycle. This is why the LinkedIn breach was blamed for several secondary compromises due to users recycling their exposed LinkedIn passwords on other sites.

Tips to Defend Against Credential Stuffing

We don’t need more headlines to convince us credential stuffing is a growing concern. Get started with these key ways to mitigate the risk:

Turn on MFA wherever you can: eliminating the opportunity for user impersonation, and the single point of vulnerability, can be achieved with multi-factor authentication (MFA). MFA requires the user to verify their identity with multiple forms of authentication including authenticator apps (e.g. Google Authenticator), personal identity providers (e.g. LinkedIn), as well as higher trust methods (e.g. fingerprint authentication). This layered approach fortifies your organization against various types of attacks during user login as well as password reset.

Monitor passwords for compromise: unfortunately, built-in Active Directory policies don’t stop users from making poor password choices so it is best to regularly audit existing passwords to check for vulnerabilities. Specops Password Auditor (Free Tool) detects security weaknesses specifically related to password settings. By scanning your Active Directory, the tool collects and displays multiple interactive reports containing user and password policy information, such as accounts using passwords leaked from major breaches, accounts with expiring/expired passwords, stale admin accounts and more.

Block breached passwords: once you’ve identified breached passwords, it is important to block them immediately. The Breached Password Protection service available with this Active Directory password management tool offers consistent protection against leaked passwords. It checks your user passwords against a continuously updated list of over 2 billion leaked passwords and blocks any passwords found in the list. The comprehensive list includes the LinkedIn leak, MySpace Collection leaks, the haveibeenpwned? list, the Rockyou wordlist, the NCSC top 100,000 most common passwords, and more.

The tool also provides feedback to end users as to why they can no longer use the password, making it easy for organizations keep out vulnerable passwords without sacrificing usability. Click here to request a 30-day free trial.

Brought to You by

Should you register for this event your information will be shared with the sponsor indicated above. See our privacy policy for more information.

What’s Hot on Infosecurity Magazine?