The danger of stolen data: credential stuffing attacks

When we talk about cyberattacks, for companies, there is one word that normally comes to mind: malware, every computer’s nightmare, that can infect their systems and take with it not just the company’s most sensitive information, but also that of their users, clients, providers, employees, and so on.

However, malware isn’t always a cybercriminal’s tool of choice; in fact, in 2017 it started to give way to other kinds of attack, which are having similar levels of success at achieving the same goal: breaking through their victims’ corporate cybersecurity.

What is credential stuffing?

A credential stuffing attack is a kind of cyberattack in which, using details gathered from a data breach, the perpetrator manages to access user accounts on a platform by bombarding credentials until they hit upon the correct combination.

To carry out an attack of this kind, the cybercriminal must first get, steal, or buy a database made up of user accounts, with their login names and passwords. Their next step is to try to log in to the affected platform using these login details. As it is not always guaranteed that the details will coincide, the strategy is to launch multiple automatic logins until the details match up. What’s more, the identification processes are carried out by specialized botnets so that the platform believes them to be authentic. If it is possible to log in, the credential stuffing attack will have been a success.

The victims: Dunkin Donuts, Yahoo…

These cyberattacks are affecting an increasing number of companies.  The latest victim was Dunkin Donuts. In November, the company detected the theft of credentials and their subsequent use in an attack on the users of DD Perks, its loyalty and rewards program. The credentials stemmed from a data breach, although Dunkin Donuts stated that this breach didn’t happen on their system, rather on the system of a supplier, which gave access to third parties. Specifically, the user information came from a previous leak, and so the cybercriminals used this information both to access DD Perks accounts and to log in to other platforms that used the same credentials.

But there is, unfortunately, one incident that takes the crown for credential stuffing attacks: in 2016, around 500 million Yahoo accounts were seriously compromised by the prior leaking of a vast amount of information after another data breach. In this case, the breach had one more outcome: when Yahoo went public with the incident, many users received emails from people claiming to belong to the company, which contained a link to resolve the breach. These emails, however, were a phishing attempt by another group of cybercriminals.

Success rate and how to avoid them

When it comes to evaluating the potential damage of credential stuffing, it is important to get some perspective. According to a Shape Security study carried out in 2018, their success rate is usually, at best, 1%, a figure that may make this attack seem insignificant.

However, we must bear in mind the fact that these cyberattacks usually use databases that can contain credentials of several million users. This means their success rate, though modest in relative terms, is large enough in absolute terms for the affected company’s reputation to be seriously damaged by the exposure of its corporate cybersecurity.

Companies must therefore take appropriate steps to avoid both data breaches and possible credential stuffing attacks.

1.- Two factor authentication? Two-factor authentication (2FA) is one of the most commonly used methods for companies and platforms that want ensure a secure login for their users. However, as we have already seen, two factor authentication is not infallible, since it can be broken by getting users to introduce their details on fake portals.

2.- Cybersecurity solutions. A company’s security cannot rely 100% on users correctly managing their passwords, especially since the attack very often comes first: i.e., data breaches are often a consequence of poor corporate cybersecurity management, rather than as a result of poor password management by users. This is where Panda Adaptive Defense comes in: it has a data protection module, Panda Data Control, that is able to monitor data in all its states, including when it is at rest, helping the solution to know at all times what processes are being run and what data is being used.

3.- Employee awareness Companies must also instill in their employees a series of prevention measures, as they are often the easiest point of entry for cybercrime. Employees must remain alert, as well as not giving out their credentials via email (to avoid phishing, tech support scams or BEC scams) and, if they come across any problems, report the incident to the company’s head of IT.