Credential stuffing


Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to brute force or guess any passwords - the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools like Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks such as: Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.
Credential stuffing attacks are possible because many users reuse the same username/password combination across multiple sites, with one survey reporting that 81% of users have reused a password across two or more sites and 25% of users use the same password across a majority of their accounts.

Credential spills

Credential stuffing attacks are considered among the top threats for web and mobile applications as a result of the volume of credential spills. More than 3 billion credentials were spilled through online data breaches in 2016 alone.

Origin

The term was coined by Sumit Agarwal, co-founder of Shape Security, who was serving as Deputy Assistant Secretary of Defense at the Pentagon at the time.

Incidents

On the 20 August 2018 Superdrug of the UK was targeted with an attempted blackmail, evidence was provided claiming to show that hackers had penetrated the site and downloaded 20,000 users' records. The evidence was most likely obtained from hacks and spillages and then used as the source for credential stuffing attacks to glean information to create the bogus evidence.
In October–November 2016, attackers gained access to a private GitHub repository used by Uber developers, using employees' usernames and passwords that had been compromised in previous breaches. The hackers claimed to have hijacked 12 employees' user accounts using the credential stuffing method, as email addresses and passwords had been re-used on other platforms. Multi-/two-factor authentication, though available, was not activated for the affected accounts. The hackers subsequently located credentials for the company's AWS datastore in the repository files, and were therefore able to obtain access to the records of 32 million non-US users and 3.7 million non-US drivers, as well as other data contained in over 100 S3 buckets. The attackers alerted Uber, demanding payment of $100,000 to agree to delete the data. The company paid through a 'bug bounty program', but did not disclose the incident to affected parties for over a year. After the breach came to light, the company was fined £385,000 by the UK Information Commissioner's Office.

Compromised credential checking

Compromised credential checking is a technique whereby users are notified when passwords are breached by websites, web browsers or password extensions.
In February 2018, British computer scientist Junade Ali created a communication protocol to anonymously verify if a password was leaked without fully disclosing the searched password. This protocol was implemented as a public API in Hunt's service and is now consumed by multiple websites and services including password managers and browser extensions. This approach was later replicated by Google's Password Checkup feature. Ali worked with academics at Cornell University to develop new versions of this protocol known as Frequency Size Bucketization and Identifier Based Bucketization. In March 2020, cryptographic padding was added to this protocol.

Compromised credential checking implementations

ProtocolDevelopersMade PublicReferences
k-AnonymityJunade Ali, Troy Hunt 21 February 2018
Frequency Smoothing Bucketization & Identifier Based BucketizationCornell University, Cloudflare May 2019
Google Password Checkup Google, Stanford UniversityAugust 2019
Active Credential Stuffing DetectionUniversity of North Carolina at Chapel Hill December 2019