According to one study, 44% of surveyed employees were found to use the same login credentials across both personal and work accounts.
Organizations that protect their systems and data with simple username-password combinations make it easier (and faster) for attackers to breach them. Similarly, users who fail to practice proper hygiene — using dictionary words as passwords, not changing compromised passwords, and so on — may find themselves at greater risk of attack.
One of the most common methods used to infiltrate protected systems and accounts is through credential stuffing attacks. These attacks spam organizations’ login endpoints with compromised credentials (usernames and passwords that were exposed in data breaches that occurred at other organizations), then carry out further malicious activities once access has been obtained.
Often, lists of stolen credentials are purchased and sold on the dark web, and can be used to attempt entry to any number of organizations. While the rate of successful breaches using this stolen data is low, it is made more successful by the high volume of credentials attackers have access to — as well as the fact that users tend to reuse credentials across multiple accounts or may not immediately change them following a known breach.
To put this into perspective: during large brute force attacks, Cloudflare observed HTTP requests using exposed credentials at a rate of 12,000+ per minute. Even if a fraction of those attempts were successful, they could deal serious damage to an organization once an attacker broke through.
Because of the volume and frequency at which credential stuffing attacks are attempted, defending against them requires a proactive and multilayered security strategy, one that can block fraudulent login requests, enforce robust authentication requirements, and minimize lateral movement in the event of a breach.
Successful credential stuffing results in account takeover, enabling attackers to gain total control of a user’s account and steal confidential data, compromise internal systems, or carry out larger attacks.
Consider DraftKings, a sports betting firm that suffered a significant credential stuffing attack in which stolen credentials were used to access their systems — compromising the personal data of over 67,000 users.
This data included physical and email addresses, phone numbers, account balance information, partial payment card details, and other sensitive information, though the full extent of the breach was unknown. As a result, the attackers were able to withdraw approximately $300,000 from multiple user accounts.
Following attacks like these, some users may be quick to change their passwords on compromised accounts. However, many others continue to reuse passwords across multiple systems, elect to keep the same password after a breach, or change it to something less secure. In a study by Carnegie Mellon University, only one of three people with accounts on a known breached domain changed their passwords afterward.
And, due to the high number of known data compromise incidents — yielding over 700 million stolen credentials in 2022 alone — obtaining stolen user credentials is often fairly easy for attackers who have the resources to purchase them.
Once attackers have cracked the credentials of a legitimate user account, they can then use those combinations to target multiple organizations. For example, if an employee’s work credentials are exposed in a breach and sold on the dark web, attackers may use those credentials to target popular banking applications or other high-value targets, which may result in additional losses if the victim uses the same password to access multiple platforms.
When it comes to protecting against credential stuffing and account takeover, the burden of secure access falls on both individual users and organizations. Practicing good password hygiene is important, but it is not enough to defend against attacks if other security measures are not in place.
For instance, organizations that rely on single-factor authentication (e.g. only requiring a username/password) may unintentionally put their users at greater risk of account takeover, since attackers only need to carry out one form of an attack in order to breach protected accounts and systems.
By contrast, organizations that enforce multi-factor authentication e.g. requiring a username/password combination as well as a unique physical token, require users to regularly update their passwords, and implement Zero Trust security measures are far more likely to withstand credential stuffing attempts.
Several factors may complicate an organization’s attempts to prevent credential stuffing. Since these attacks rely on data that has been stolen from other companies or purchased off of the dark web, organizations may not be aware that their users are reusing compromised credentials. Additionally, attackers often automate their attempts via credential stuffing software, which uses malicious bots to spam login endpoints with requests.
Despite this, there are still several strategies organizations can take to protect their users and data, including:
The best defense against credential stuffing is a proactive one. By requiring users to provide multiple forms of identification in order to access protected systems and data, organizations can minimize the likelihood of a successful breach — even for users that may be repurposing exposed credentials. To further strengthen their security posture, they may also require password resets at regular intervals and specify the length and characters that user passwords must contain.
Although credential stuffing tools can disguise login attempts as legitimate ones, organizations can configure web application firewall (WAF) rulesets to check these requests against databases of publicly-available stolen credentials. When there is a match, the user may be presented with an interactive challenge, or the request may be automatically denied.
Zero Trust — a modern security model that assumes threats are present both inside and outside of an organization’s network — continuously validates every user, device, and request. Zero Trust goes beyond MFA by enforcing least-privilege access (i.e. minimizing users’ exposure to sensitive data), validating device identity and permissions, and repeatedly verifying user identity. Together, these practices help prevent intrusion, reduce the opportunity for lateral movement, and lessen the impact of a successful breach.
Built on a powerful global network — encompassing 310 cities in over 120 countries — Cloudflare has unprecedented insight into current and emerging attack patterns. This helps better protect customers from a wide range of both automated and targeted attacks.
Cloudflare Zero Trust helps organizations implement stringent access requirements to defend their login endpoints against unauthorized requests. Additionally, organizations can reduce their vulnerability to credential stuffing by using Cloudflare to rate limit failed login attempts, identify and block bad bot behavior, and filter access attempts from potentially malicious sources via custom firewall rules.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Get the State of application security white paper to learn how Cloudflare helps defend organizations against credential stuffing and other emerging threats.
After reading this article you will be able to understand:
How credential stuffing attacks can lead to account takeover
Why MFA isn’t enough to stop credential stuffing
Strategies to secure your organization against volumetric attacks