You might have read about credential stuffing and credential cracking attacks in the news, what you might not know is that any company can fall victim to a brute force attack. Credential stuffing and credential hacking attacks are dangerous because they give hackers access to your customers’ online accounts. Even major companies like The North Face, Spotify, and Sam’s Club have suffered credential stuffing attacks. We’ll tell you everything you need to know about credential stuffing and credential cracking attacks. We’ll also give you some tips for how to prevent these damaging attacks from happening to you.
Credential Stuffing Definition
Credential stuffing is the automated injection of stolen username and password pairs, otherwise known as credentials, into website login forms, to gain access into others’ accounts. It is one of the most commonly used techniques to fraudulently take over user accounts. Since many users use the same usernames and passwords for multiple accounts, attackers can often break into several of their logins at once.
Credential Cracking Definition
On the other hand, credential cracking is the attempt to find the correct login credentials by using automated brute-force password cracking tools and testing huge amounts of different combinations for usernames and passwords. If you choose easy-to-guess passwords, you are particularly vulnerable to a credential cracking attack.
Examples of Credential Stuffing and Credential Cracking Attacks
Even major companies can fall victim to credential stuffing and credential cracking attacks. The first signs of credential stuffing attacks appeared in 2014.
The coffee company was the victim of an attack in early 2019. Hackers used credentials from other data hacks to gain access to the DD Perks rewards accounts, which housed personal information including email addresses, the DD Perks account numbers, and the DD Perks QR code. Their goal was to sell access to the hacked accounts to people who wanted the reward points.
Just months later, the Disney+ streaming service fell victim to a credential stuffing attack. Right after the launch, account credentials were put up for sale on dark web forums.
Why Hackers Use Credential Stuffing and Credential Cracking
A “successful” credential stuffing or credential cracking attack means that the hacker gains access to the user’s account. This is called account takeover. Account takeover is the unlawful accessing of a user account in order to commit fraud. Once the criminal is in the user’s account, they are able to access linked bank accounts, credit cards, and personal information that they can use for additional identity theft. The most profitable kind of account takeover is credit card fraud. One common practice is known as carding, which is using stolen credit card numbers to purchase products and services using the stolen credit card details with a fake account, or reselling the credit card information on the dark web. And beware during the holiday season, because that is usually when these carding attacks happen. That’s because the unusual purchases are less likely to be noticed by websites when they are already seeing large amounts of traffic. The types of companies that are typically the target of credential stuffing attacks include:
- Social media
- Information technology
- Travel and transportation industries
However, any kind of company or organization can be vulnerable to a credential stuffing or credential cracking attack.
How a Credential Stuffing Attack Works
Be honest: do you use the same password for multiple accounts? If so, you’re not alone. As many as 65% of people reuse the same passwords for multiple — or all — of their accounts, according to a Google security survey. This is exactly what malicious threat actors are relying on. Here is how a typical credential stuffing attack works:
- The hacker creates at least one bot to access login pages from multiple websites in parallel. Typically, the bot is disguised as a human and runs through several IPs.
- The bot runs the list of stolen credentials through the login pages of the apps and websites it is targeting.
- Once the bot is into a user account, it is programmed to keep all personal data, like credit card information, linked bank accounts, and more. This is an account takeover.
- Eventually, the hacker has a large amount of valuable personal information, which they either keep for their own purposes, or resell on the dark web.
Credential cracking is extremely similar, except instead of being programmed to run through a list of stolen credentials, the bot or bots runs through common password patterns, dictionaries, or common phrases until it gains access to an account. The problem with hackers taking control of online accounts is that they can often conduct unauthorized transactions without the victims finding out right away. It is not flagged as a suspicious transaction since the hacker is logged into a user account.
The Consequences of a Credential Stuffing Attack
Credential stuffing and credential cracking attacks can have major consequences, even when they are not successful.
Did you realize you might be paying for the bots that are attacking your website? All web traffic is paid for with server bandwidth. When bots are on your website, they are using valuable server space (and not to mention eating your money.)
Poor Website Performance
Credential stuffing and credential cracking attacks typically lead to a traffic spike on your website, which can slow down response time and lead to poor site performance. These lead to poor user experience (UX) for your customers, which can be frustrating. Not to mention, if they have linked their payment details to your website, it can make your customers uneasy.
And there’s the most obvious potential danger of a credential stuffing attack: if it’s successful, then all of your users’ personal data will be compromised. You will have to let them know, and it will be a PR nightmare for your company. You don’t want your company’s reputation to be sullied by a brute force attack.
How to Detect Credential Stuffing Attacks
Are you worried that your site might have been hacked? There are a few ways you can look out for in order to detect a credential stuffing attack on your website. The signs include:
- Website Traffic: Keep an eye out for any major or unusual changes in your website traffic. In particular, look for multiple login attempts on various accounts, especially within a short time frame.
- Login-Failure Rate: If the login-failure rate on your website is higher than normal, that can be an ominous sign of a credential stuffing attack.
- Site Downtime: If your website goes down due to increased website traffic and you don’t know the cause (like a new product launch), you will want to look into the source of the traffic.
Ways to Prevent Credential Stuffing Attacks
While it might not be possible to completely prevent credential stuffing or credential cracking attacks from happening to your website, there are some steps you can take to create a secure website:
- Multi-Factor Authentication: Add a multi-factor authentication, or MFA, for all user accounts on your website.
- Password Managers: Encourage customers to use password managers in order to create the strongest possible unique passwords.
- Monitor Web Traffic: Make sure to monitor your web traffic for the same IP with varying subnets. This can be a sign of a proxy service.
- Use Bot Detection Software: Considering utilizing a bot protection software to protect your site.
- Train Your Employees: Either train your existing employees to defend against automated attacks, or consider hiring a professional website security expert to help you keep your website safe.
- What is credential stuffing?
- What is credential cracking?
- How does a credential stuffing attack work?
- What is account takeover?
- What are the signs of a credential stuffing attack?