Credential stuffing attacks have become so prevalent in the first quarter of 2022 that traffic surpassed that of legitimate login attempts from normal users in some countries.
This type of attack takes advantage of “password recycling,” which is the bad practice of using the same credential pairs (login name and password) across multiple sites.
Once the credential are leaked or brute-forced from one site, threat actors perform a credential stuffing attack that attempts to use the same leaked credentials at other sites to gain access to users’ accounts.
As the FBI warned recently, these attacks are growing in volume thanks to the readily available aggregated lists of leaked credentials and the automated tools made available to cybercriminals, enabling them to test pairs against many sites.
Over 10 billion credential stuffing attempts
Okta reports that the situation has worsened in 2022, as the identity and access management firm has recorded over 10 billion credential stuffing events on its platform in the first 90 days of 2022.
This number represents roughly 34% of the overall authentication traffic, which means that one-third of all attempts are malicious and fraudulent.
When examined from a geographical perspective, the worst cases are South East Asia and the United States, where credential stuffing traffic consistently dwarfed normal login attempts throughout Q1 2022.
Because most of these attacks follow a “burst” approach, trying out a large number of credentials in a short time, impacted platforms sustain sudden load spikes of up to tenfold.
An example in Okta’s report is an attack that lasted almost two months, culminating in January 2022.
The load diagram is characteristic of how disruptive these attacks can be for online platforms, placing a significant strain on their identity management infrastructure, causing latency, and degrading the experience for regular users.
In terms of which industries were targeted the most, Okta reports most attempts were against retail/eCommerce. Significant attack volumes were also recorded against education, energy, financial services, and software/SaaS.
A recent example of a credential stuffing attack against an e-commerce platform is that against customers of North Face, compromising about 200,000 accounts in the brand’s online shop.
Protecting against credential stuffing attacks is mainly the responsibility of online platforms that should use fingerprinting checks, engage in proactive credential checking, use proxy discovery systems, and implement “shadow-banning” on suspicious accounts.
From the users’ perspective, using multi-factor authentication and setting unique, strong passwords for all your online accounts offers adequate protection against most threats of this type.
However, as seen by the recent MFA Fatigue attacks, threat actors have found ways to bypass MFA through social engineering. Therefore, it is important for organizations to properly secure MFA with number matching and authentication attempt thresholds.
