Credential stuffing

From HandWiki
Short description: Cyberattack using mass login requests

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords (often from a data breach), and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application.[1] Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number (thousands to millions) of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.[2][3]

Credential stuffing attacks are possible because many users reuse the same username/password combination across multiple sites, with one survey reporting that 81% of users have reused a password across two or more sites and 25% of users use the same passwords across a majority of their accounts.[4] In 2017, the FTC issued an advisory suggesting specific actions companies needed to take against credential stuffing, such as insisting on secure passwords and guarding against attacks.[5] According to former Google click fraud czar Shuman Ghosemajumder, credential stuffing attacks have up to a 2% login success rate, meaning that one million stolen credentials can take over 20,000 accounts.[6] Wired Magazine described the best way to protect against credential stuffing is to use unique passwords on accounts, such as those generated automatically by a password manager, enable two-factor authentication, and to have companies detect and stop credential stuffing attacks.[7]

Credential spills

A credential spill, alternatively referred to as a data breach or leak, arises when unauthorized individuals or groups illicitly obtain access to sensitive user credentials that organizations store. Such credentials frequently comprise usernames, email addresses, and passwords. The repercussions of credential spills can be significant, as they commonly subject users to a range of hazards, including identity theft, financial fraud, and unauthorized account infiltration.[8]

Credential stuffing attacks are considered among the top threats for web and mobile applications as a result of the volume of credential spills. More than three billion credentials were spilled through online data breaches in 2016 alone.[9]

Origin

The term was coined by Sumit Agarwal, co-founder of Shape Security, who was serving as Deputy Assistant Secretary of Defense at the Pentagon at the time.[10]

Incidents

On 20 August 2018, U.K. health and beauty retailer Superdrug was targeted with an attempted blackmail, with hackers showing purported evidence that they had penetrated the company's site and downloaded 20,000 users' records. The evidence was most likely obtained from hacks and spillages and then used as the source for credential stuffing attacks to glean information to create the bogus evidence.[11][12]

In October and November 2016, attackers gained access to a private GitHub repository used by Uber (Uber BV and Uber UK) developers, using employees' usernames and passwords that had been compromised in previous breaches. The hackers claimed to have hijacked 12 employees' user accounts using the credential-stuffing method, as email addresses and passwords had been reused on other platforms. Multi-factor authentication, though available, was not activated for the affected accounts. The hackers located credentials for the company's AWS datastore in the repository files, which they used to obtain access to the records of 32 million non-US users and 3.7 million non-US drivers, as well as other data contained in over 100 S3 buckets. The attackers alerted Uber, demanding payment of $100,000 to agree to delete the data. The company paid through a bug bounty program but did not disclose the incident to affected parties for more than a year. After the breach came to light, the company was fined £385,000 (reduced to £308,000) by the U.K. Information Commissioner's Office.[13]

In 2019 Cybersecurity research firm Knight Lion Security claimed in a report that credential stuffing was favored attack method for GnosticPlayers.[14]

Compromised credential checking

Compromised credential checking is a technique enabling users to be notified when passwords are breached by websites, web browsers or password extensions.

In February 2018, British computer scientist Junade Ali created a communication protocol (using k-anonymity and cryptographic hashing) to anonymously verify whether a password was leaked without fully disclosing the searched password.[15][16] This protocol was implemented as a public API and is now consumed by multiple websites and services, including password managers[17][18] and browser extensions.[19][20] This approach was later replicated by Google's Password Checkup feature.[21][22][23] Ali worked with academics at Cornell University to develop new versions of the protocol known as Frequency Smoothing Bucketization (FSB) and Identifier-Based Bucketization (IDB).[24] In March 2020, cryptographic padding was added to the protocol.[25]

Compromised credential checking implementations

Protocol Developers Made Public References
k-Anonymity Junade Ali (Cloudflare), Troy Hunt (Have I Been Pwned?) 21 February 2018 [26][27]
Frequency Smoothing Bucketization & Identifier Based Bucketization Cornell University (Lucy Li, Bijeeta Pal, Rahul Chatterjee, Thomas Ristenpart), Cloudflare (Junade Ali, Nick Sullivan) May 2019 [28]
Google Password Checkup (GPC) Google, Stanford University August 2019 [29][30]
Active Credential Stuffing Detection University of North Carolina at Chapel Hill (Ke Coby Wang, Michael K. Reiter) December 2019 [31]

See also

References

  1. "Credential Stuffing". OWASP. https://www.owasp.org/index.php/Credential_stuffing. 
  2. "Credential Spill Report". Shape Security. January 2017. p. 23. http://info.shapesecurity.com/rs/935-ZAM-778/images/Shape-2017-Credential-Spill-Report.pdf. "The most popular credential stuffing tool, Sentry MBA, uses 'config' files for target websites that contain all the login sequence logic needed to automate login attempts" 
  3. "Use of credential Stuffing Tools". https://www.ncsc.gov.uk/news/use-credential-stuffing-tools. 
  4. "Wake-Up Call on Users' Poor Password Habits". SecureAuth. July 2017. https://www.secureauth.com/sites/default/files/secureauth_ciam_infographic_170714.pdf. 
  5. "Stick with Security: Require secure passwords and authentication" (in en). 2017-08-11. https://www.ftc.gov/news-events/blogs/business-blog/2017/08/stick-security-require-secure-passwords-authentication. 
  6. Ghosemajumder, Shuman (2017-12-04). "You Can't Secure 100% of Your Data 100% of the Time". Harvard Business Review. ISSN 0017-8012. https://hbr.org/2017/12/you-cant-secure-100-of-your-data-100-of-the-time. 
  7. "What Is Credential Stuffing?" (in en-us). Wired. ISSN 1059-1028. https://www.wired.com/story/what-is-credential-stuffing/. Retrieved 2021-04-11. 
  8. Shanker, Ed (March 8, 2022). "Credential Stuffing". https://www.meetingtreecomputer.com/tech-tip-75-24-important-cybersecurity-definitions-to-add-to-your-brain-bank/. 
  9. Chickowski, Ericka (January 17, 2017). "Credential-Stuffing Attacks Take Enterprise Systems By Storm". DarkReading. http://www.darkreading.com/attacks-breaches/credential-stuffing-attacks-take-enterprise-systems-by-storm/d/d-id/1327908. 
  10. Townsend, Kevin (January 17, 2017). "Credential Stuffing: a Successful and Growing Attack Methodology". Security Week. http://www.securityweek.com/credential-stuffing-successful-and-growing-attack-methodology. 
  11. "Super-mugs: Hackers claim to have snatched 20k customer records from Brit biz Superdrug". https://www.theregister.co.uk/2018/08/21/superdrug_hackers_claims. 
  12. "Superdrug Rebuffs Super Ransom After Supposed Super Heist – Finance Crypto Community". 23 August 2018. http://digitators.com/cryptocommune/superdrug-rebuffs-super-ransom-after-supposed-super-heist. 
  13. "Monetary Penalty Notice (Uber)". Information Commissioner's Office. 27 November 2018. https://ico.org.uk/media/action-weve-taken/mpns/2553890/uber-monetary-penalty-notice-26-november-2018.pdf. 
  14. "GnosticPlayers Part 1: An Overview of Hackers Nclay, DDB, and NSFW" (in en-US). 2019-12-30. https://nightlion.com/blog/2019/gnosticplayers-part-1-nclay-ddb-nsfw/. 
  15. "Find out if your password has been pwned—without sending it to a server" (in en-us). Ars Technica. https://arstechnica.com/information-technology/2018/02/new-tool-safely-checks-your-passwords-against-a-half-billion-pwned-passwords/. 
  16. "1Password bolts on a 'pwned password' check – TechCrunch" (in en-US). 23 February 2018. https://techcrunch.com/2018/02/23/1password-bolts-on-a-pwned-password-check. 
  17. "1Password Integrates With 'Pwned Passwords' to Check if Your Passwords Have Been Leaked Online" (in en). https://www.macrumors.com/2018/02/23/1password-pwned-passwords/. 
  18. Conger, Kate. "1Password Helps You Find Out if Your Password Is Pwned" (in en-US). Gizmodo. https://gizmodo.com/1password-helps-you-find-out-if-your-password-is-pwned-1823272286. 
  19. Condon, Stephanie. "Okta offers free multi-factor authentication with new product, One App | ZDNet" (in en). ZDNet. https://www.zdnet.com/article/okta-offers-free-multi-factor-authentication-with-new-product-one-app/. 
  20. Coren, Michael J.. "The world's biggest database of hacked passwords is now a Chrome extension that checks yours automatically" (in en-US). Quartz. https://qz.com/1284488/the-worlds-biggest-database-of-hacked-passwords-is-now-a-chrome-extension-that-checks-yours-automatically/. 
  21. Wagenseil I, Paul (5 February 2019). "Google's New Chrome Extension Finds Your Hacked Passwords". https://www.laptopmag.com/articles/googles-new-chrome-extension-finds-hacked-passwords. 
  22. "Google Launches Password Checkup Extension to Alert Users of Data Breaches" (in en-us). https://www.bleepingcomputer.com/news/security/google-launches-password-checkup-extension-to-alert-users-of-data-breaches/. 
  23. Dsouza, Melisha (6 February 2019). "Google's new Chrome extension 'Password CheckUp' checks if your username or password has been exposed to a third party breach". https://hub.packtpub.com/googles-new-chrome-extension-password-checkup-checks-if-your-username-or-password-has-been-exposed-to-a-third-party-breach/. 
  24. Li, Lucy; Pal, Bijeeta; Ali, Junade; Sullivan, Nick; Chatterjee, Rahul; Ristenpart, Thomas (2019-11-06). "Protocols for Checking Compromised Credentials". Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: ACM. pp. 1387–1403. doi:10.1145/3319535.3354229. ISBN 978-1-4503-6747-9. Bibcode2019arXiv190513737L. 
  25. Ali, Junade (4 March 2020). "Pwned Passwords Padding (ft. Lava Lamps and Workers)" (in en). https://blog.cloudflare.com/pwned-passwords-padding-ft-lava-lamps-and-workers/. Retrieved 12 May 2020. 
  26. Ali, Junade (21 February 2018). "Validating Leaked Passwords with k-Anonymity" (in en). https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/. Retrieved 12 May 2020. 
  27. Ali, Junade (5 October 2017) (in en). Mechanism for the prevention of password reuse through Anonymized Hashes. PeerJ Preprints. doi:10.7287/peerj.preprints.3322v1. https://peerj.com/preprints/3322/. Retrieved 12 May 2020. 
  28. Li, Lucy; Pal, Bijeeta; Ali, Junade; Sullivan, Nick; Chatterjee, Rahul; Ristenpart, Thomas (4 September 2019). "Protocols for Checking Compromised Credentials". arXiv:1905.13737 [cs.CR].
  29. Thomas, Kurt; Pullman, Jennifer; Yeo, Kevin; Raghunathan, Ananth; Kelley, Patrick Gage; Invernizzi, Luca; Benko, Borbala; Pietraszek, Tadek et al. (2019) (in en). Protecting accounts from credential stuffing with password breach alerting. pp. 1556–1571. ISBN 9781939133069. https://www.usenix.org/conference/usenixsecurity19/presentation/thomas. 
  30. Cimpanu, Catalin. "Google launches Password Checkup feature, will add it to Chrome later this year" (in en). ZDNet. https://www.zdnet.com/article/google-launches-password-checkup-feature-will-add-it-to-chrome-later-this-year/. Retrieved 12 May 2020. 
  31. Wang, Ke Coby; Reiter, Michael K. (2020) (in en). Detecting Stuffing of a User's Credentials at Her Own Accounts. pp. 2201–2218. ISBN 9781939133175. https://www.usenix.org/conference/usenixsecurity20/presentation/wang. 

External links