Credential Stuffing - Intro and Stats

I was recently analyzing security data for a major retailer to detect any useful trends. Nothing really startles me anymore, but some of the numbers I’m discovering are pretty scary.

As a result of the increase in credential spilling incidents over the last several years, the number of "stuffing" attacks are rapidly growing. Credential stuffing is a type of attack in which hackers use credentials that have been stolen to gain access to other sites and systems.

For example, suppose you create an account online at Walmart consisting of your username and password. In order to make the login process more convenient, you decide to reuse the same set you use for another account, perhaps your Amazon or even bank account. Let’s pretend a couple months later a server in the cloud at a Walmart data center gets compromised, resulting in the exposure of millions of customer credentials. These lists are then sold on the web for a profit.

The person who buys the credentials then decides to lease a botnet to assist in an attack. A botnet is a network of computers or other devices that have been infected with malware (a bot) and can be controlled as a group for malicious purposes. Most of the spam you receive on a daily basis is sent by bots that are part of a larger botnet. As a matter of fact, your computer or mobile phone could be a participant in an illegal botnet at this very moment, yet you remain completely unaware.

One major use for botnets is known as credential stuffing. Continuing, the hacker that bought the list of spilled credentials will lease and utilize the botnet to try to login to millions of other sites. Since many people use similar credentials for multiple accounts, the chances of success are high. Moreover, the costs of this attack and risk versus reward highly favors the criminal. If done efficiently, an attacker can rent a botnet consisting of thousands of machines all working simultaneously in an attempt to login to millions of other sites, and it is all accomplished in seconds.

Returning to the main purpose of this article - I just took a look at the login attempts for the major retailer and discovered that 9 out of 10 were a result of credential stuffing attacks. Only 1 attempt was actually coming from a human on the other end. Do the math and you will begin to grasp how much web traffic is dedicated to cyber attacks - all completely automated and done in less time than it took me to write this sentence. In addition, over a 4 month period, 500,000 accounts out of 15 million attempting to login were from credentials that had been previously spilled from other attacks.

The day is quickly coming when data from our fingerprints, retina, and just about everything else will be stored beyond our control. In every single way, our privacy is being violated, yet we are all unknowingly agreeing to the small print. For every 4 people who read this post, 1 will be a future victim of an attack, and another has a high chance of identity theft. Unfortunately, there is no simple solution, but like every complex problem, it all starts with people educating themselves.