If you have been a frequent user of the internet at least for the past decade (assuming you do not live under a rock) and have multiple accounts in several different websites/applications, then it is highly likely that at least one of your accounts may have been compromised in the millions of data breaches that occurred between 2010 and 2021.
One of the straightforward ways to figure out your vulnerability quotient is to check the website by security expert Troy Hunt called “haveibeenpwned.com”. It can give you a comprehensive list of data breaches in which your credentials were/may have been compromised. Lately, even browsers have the capabilities to flag these issues. But what many of us are yet to understand is the scale of the attack surface that opens with compromised credentials—notably credential stuffing attacks. Because in most cases, millions of stolen credentials are available for malicious actors on the Dark Web.
What is a credential stuffing attack?
As we mentioned above, a credential stuffing attack occurs when hackers use stolen credentials from one data breach to log into another unrelated service. This particular attack vector is successful because people reuse the same username and password combinations for multiple accounts.
Credential stuffing alone does not have a high success rate. But the advancements in attack tools that use bots to masquerade multiple geographical locations and IP addresses have made it a potent attack vector.
But how different is it from a brute force attack?
Unlike credential stuffing attacks that use stolen credentials from one data breach to log into another account, brute force attacks are primarily based on guesswork. That is, attackers must guess the passwords of a target using characters at random, sometimes combined with common password suggestions. Users can evade brute force attacks by having a good password consisting of special characters and numbers, and so on. However, if a good password is reused in multiple accounts, these users can be victims of credential stuffing attacks. And this makes credential stuffing much more dangerous.
The alarming trends of credential stuffing
According to the ‘2021 Credential Stuffing Report’ published by F5 Networks, “In 2018 and 2019, the combined threats of phishing and credential stuffing made up roughly half of all publicly disclosed breaches in the United States. In other words, stolen credentials are so valuable that demand for them remains enormous, creating a vicious circle in which organizations suffer both network intrusions in pursuit of credentials and credential stuffing in pursuit of profits.”
The report also pointed out several alarming trends, which indicated that the number of incidents of a credential spill (an event where a combination of username and passwords are leaked) doubled between 2016 and 2020. The report also stated that despite the growing awareness of cyberattacks, password hygiene continues to be poor. Added to that organizations take between 120 days (about 4 months) and 327 days (about 10 and a half months) to discover credential spills.
In several cases, leaked databases are found on the Dark Web even before the companies detect a cyber intrusion.
Credential Stuffing Example: 150,000 security cameras were compromised
Earlier this year, video surveillance startup Verkada was targeted in a cyber-attack where close to 150,000 cameras were compromised by a hacktivist collective that went by the name APT-69420 Arson Cats.
What was even more alarming about the cyberattack was that hackers accessed video feeds from facilities operated by automaker Tesla, its factories and warehouses, offices of Cloudflare, Equinox gyms, hospitals, jails, schools, police stations, and even Verkada’s own office. The hackers also accessed the full video archive of all Verkada’s customers.
What made the attack dangerous was its simplicity. The hacker group launched a credential stuffing attack by gaining “Super Admin”-level access to Verkada’s system using a username and password they found publicly on the internet.
Credential stuffing and its impact on Colonial Pipeline and the rest of the US
The cybersecurity consulting firm that responded to the recent Colonial Pipeline attack pointed out that the hack resulted from a “single compromised password.” Charles Carmakal, senior vice president at the cybersecurity firm Mandiant, part of FireEye Inc., in an interview with Bloomberg, said, “Hackers gained entry into the networks of Colonial Pipeline Co. on April 29 through a virtual private network account, which allowed employees to remotely access the company’s computer network.” He added, “The account was no longer in use at the time of the attack but could still be used to access Colonial’s network.”
The scale of the attack was unprecedented. The attack compromised the billing system, leading to a halt in pipeline operations. The company had to shut down the pipeline as a precaution due to concerns that the attackers may have obtained information allowing them to carry out further attacks on vulnerable parts of the pipeline.
The attackers had also stolen close to 100 gigabytes of data and then threatened to release it on the internet if a ransom was not paid. In the days that followed the incident, fuel shortages began to occur at filling stations, caused by panic buying. States like Alabama, Georgia, Florida, North and South Carolina reported gas shortages. In some cases, 71% of filling stations ran out of fuel. American Airlines changed flight schedules temporarily after the shortage hit Charlotte Douglas International Airport.
Consequentially, several flights had fuel stops or plane changes added to their schedules for four days. Airports directly serviced by Colonial Pipeline had to look for alternatives.
Eventually, the government had to intervene. President Joe Biden declared a state of emergency, removing limits on the transport of fuels by road. Several states also waived taxes on diesel and gasoline. The situation was so dire in certain parts of the country due to panic buying that the U.S. Consumer Product Safety Commission had to issue an advisory asking people to “not fill plastic bags with gasoline” (an obvious fire hazard).
All because of a “single compromised password.”
The above incidents highlight why credential stuffing, despite its low success rate, is one of the most dangerous cyberattacks.
The methods of prevention can begin with simple approaches like enabling password-less authentication for sensitive accounts. Biometrics and multi-factor authentications can also be best practices that can be established. Finally, better password hygiene, password creativity, and most importantly, refraining from reusing passwords are probably the silver bullets against credential stuffing attacks.