Credential stuffing

Last updated

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords (often from a data breach), and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. [1] Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number (thousands to millions) of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet. [2] [3]

Contents

Credential stuffing attacks are possible because many users reuse the same username/password combination across multiple sites, with one survey reporting that 81% of users have reused a password across two or more sites and 25% of users use the same passwords across a majority of their accounts. [4] In 2017, the FTC issued an advisory suggesting specific actions companies needed to take against credential stuffing, such as insisting on secure passwords and guarding against attacks. [5] According to former Google click fraud czar Shuman Ghosemajumder, credential stuffing attacks have up to a 2% login success rate, meaning that one million stolen credentials can take over 20,000 accounts. [6] Wired Magazine described the best way to protect against credential stuffing is to use unique passwords on accounts, such as those generated automatically by a password manager, enable two-factor authentication, and to have companies detect and stop credential stuffing attacks. [7]

Credential spills

A credential spill, alternatively referred to as a data breach or leak, arises when unauthorized individuals or groups illicitly obtain access to sensitive user credentials that organizations store. Such credentials frequently comprise usernames, email addresses, and passwords. The repercussions of credential spills can be significant, as they commonly subject users to a range of hazards, including identity theft, financial fraud, and unauthorized account infiltration. [8]

Credential stuffing attacks are considered among the top threats for web and mobile applications as a result of the volume of credential spills. More than three billion credentials were spilled through online data breaches in 2016 alone. [9]

Origin

The term was coined by Sumit Agarwal, co-founder of Shape Security, who was serving as Deputy Assistant Secretary of Defense at the Pentagon at the time. [10]

Incidents

On 20 August 2018, U.K. health and beauty retailer Superdrug was targeted with an attempted blackmail, with hackers showing purported evidence that they had penetrated the company's site and downloaded 20,000 users' records. The evidence was most likely obtained from hacks and spillages and then used as the source for credential stuffing attacks to glean information to create the bogus evidence. [11] [12]

In October and November 2016, attackers gained access to a private GitHub repository used by Uber (Uber BV and Uber UK) developers, using employees' usernames and passwords that had been compromised in previous breaches. The hackers claimed to have hijacked 12 employees' user accounts using the credential-stuffing method, as email addresses and passwords had been reused on other platforms. Multi-factor authentication, though available, was not activated for the affected accounts. The hackers located credentials for the company's AWS datastore in the repository files, which they used to obtain access to the records of 32 million non-US users and 3.7 million non-US drivers, as well as other data contained in over 100 S3 buckets. The attackers alerted Uber, demanding payment of $100,000 to agree to delete the data. The company paid through a bug bounty program but did not disclose the incident to affected parties for more than a year. After the breach came to light, the company was fined £385,000 (reduced to £308,000) by the U.K. Information Commissioner's Office. [13]

In 2019 Cybersecurity research firm Knight Lion Security claimed in a report that credential stuffing was favored attack method for GnosticPlayers. [14]

Compromised credential checking

Compromised credential checking is a technique enabling users to be notified when passwords are breached by websites, web browsers or password extensions.

In February 2018, British computer scientist Junade Ali created a communication protocol (using k-anonymity and cryptographic hashing) to anonymously verify whether a password was leaked without fully disclosing the searched password. [15] [16] This protocol was implemented as a public API and is now consumed by multiple websites and services, including password managers [17] [18] and browser extensions. [19] [20] This approach was later replicated by Google's Password Checkup feature. [21] [22] [23] Ali worked with academics at Cornell University to develop new versions of the protocol known as Frequency Smoothing Bucketization (FSB) and Identifier-Based Bucketization (IDB). [24] In March 2020, cryptographic padding was added to the protocol. [25]

Compromised credential checking implementations

ProtocolDevelopersMade PublicReferences
k-Anonymity Junade Ali (Cloudflare), Troy Hunt (Have I Been Pwned?)21 February 2018 [26] [27]
Frequency Smoothing Bucketization & Identifier Based Bucketization Cornell University (Lucy Li, Bijeeta Pal, Rahul Chatterjee, Thomas Ristenpart), Cloudflare (Junade Ali, Nick Sullivan)May 2019 [28]
Google Password Checkup (GPC) Google, Stanford University August 2019 [29] [30]
Active Credential Stuffing Detection University of North Carolina at Chapel Hill (Ke Coby Wang, Michael K. Reiter)December 2019 [31]

See also

Related Research Articles

The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data connections between the client and the server. FTP users may authenticate themselves with a clear-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP).

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises in 1991 as an access server authentication and accounting protocol. It was later brought into IEEE 802 and IETF standards.

An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for transfer of authentication data between two entities. It allows the receiving entity to authenticate the connecting entity as well as authenticate itself to the connecting entity by declaring the type of information needed for authentication as well as syntax. It is the most important layer of protection needed for secure communication within computer networks.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

Java Authentication and Authorization Service, or JAAS, pronounced "Jazz", is the Java implementation of the standard Pluggable Authentication Module (PAM) information security framework. JAAS was introduced as an extension library to the Java Platform, Standard Edition 1.3 and was integrated in version 1.4.

In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent to provide a user name and password when making a request. In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic <credentials>, where credentials is the Base64 encoding of ID and password joined by a single colon :.

<span class="mw-page-title-main">OpenID</span> Open and decentralized authentication protocol standard

OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites using a third-party identity provider (IDP) service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log in to multiple unrelated websites without having to have a separate identity and password for each. Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign on to any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine. The concept is also known as password chaos, or more broadly as identity chaos.

LastPass is a password manager distributed in subscription form as well as a freemium model with limited functionality. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. It also includes support for bookmarklets. GoTo acquired LastPass in October 2015. On December 14, 2021, GoTo announced that LastPass would be made into a separate company and accelerate its release timeline.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

<span class="mw-page-title-main">Partial password</span>

A partial password is a mode of password authentication intended to make keystroke logging and shoulder surfing less effective.

In computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password to gain access with stealing the hash.

<span class="mw-page-title-main">Have I Been Pwned?</span> Consumer security website and email alert system

Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

<span class="mw-page-title-main">Troy Hunt</span> Australian web security expert

Troy Adam Hunt is an Australian web security consultant known for public education and outreach on security topics. He created and operates Have I Been Pwned?, a data breach search website that allows users to see if their personal information has been compromised. He has also authored several popular security-related courses on Pluralsight, and regularly presents keynotes and workshops on security topics. He created ASafaWeb, a tool that formerly performed automated security analysis on ASP.NET websites.

<span class="mw-page-title-main">WebAuthn</span> Public-key authentication standard

Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography.

Credential Management, also referred to as a Credential Management System (CMS), is an established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI).

<span class="mw-page-title-main">Bitwarden</span> Open-source password manager

Bitwarden is a freemium open-source password management service that stores sensitive information such as website credentials in an encrypted vault. The platform offers a variety of client applications including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface. Bitwarden offers a free US or European cloud-hosted service as well as the ability to self-host.

<span class="mw-page-title-main">Junade Ali</span> British computer scientist and cybersecurity researcher

Junade Ali is a British computer scientist known for research in cybersecurity.

A passkey is a digital credential that is used as an authentication method for a website or application. The passkeys standard is a type of passwordless authentication, promoted by the World Wide Web Consortium and the FIDO Alliance. They are often stored by the operating system or web browser and synchronized between devices from the same ecosystem using the cloud, however they can also be confined to a single device such as a physical security key.

References

  1. "Credential Stuffing". OWASP.
  2. "Credential Spill Report" (PDF). Shape Security. January 2017. p. 23. The most popular credential stuffing tool, Sentry MBA, uses 'config' files for target websites that contain all the login sequence logic needed to automate login attempts
  3. "Use of credential Stuffing Tools". NCSC.
  4. "Wake-Up Call on Users' Poor Password Habits" (PDF). SecureAuth. July 2017.
  5. "Stick with Security: Require secure passwords and authentication". Federal Trade Commission. 2017-08-11. Retrieved 2021-04-11.
  6. Ghosemajumder, Shuman (2017-12-04). "You Can't Secure 100% of Your Data 100% of the Time". Harvard Business Review. ISSN   0017-8012 . Retrieved 2021-04-11.
  7. "What Is Credential Stuffing?". Wired. ISSN   1059-1028 . Retrieved 2021-04-11.
  8. Shanker, Ed (March 8, 2022). "Credential Stuffing" . Retrieved May 19, 2023.
  9. Chickowski, Ericka (January 17, 2017). "Credential-Stuffing Attacks Take Enterprise Systems By Storm". DarkReading. Retrieved February 19, 2017.
  10. Townsend, Kevin (January 17, 2017). "Credential Stuffing: a Successful and Growing Attack Methodology". Security Week. Retrieved February 19, 2017.
  11. "Super-mugs: Hackers claim to have snatched 20k customer records from Brit biz Superdrug". The Register .
  12. "Superdrug Rebuffs Super Ransom After Supposed Super Heist – Finance Crypto Community". 23 August 2018.
  13. "Monetary Penalty Notice (Uber)" (PDF). Information Commissioner's Office. 27 November 2018.
  14. "GnosticPlayers Part 1: An Overview of Hackers Nclay, DDB, and NSFW". Night Lion Security. 2019-12-30. Retrieved 2022-03-06.
  15. "Find out if your password has been pwned—without sending it to a server". Ars Technica. Retrieved 2018-05-24.
  16. "1Password bolts on a 'pwned password' check – TechCrunch". techcrunch.com. 23 February 2018. Retrieved 2018-05-24.
  17. "1Password Integrates With 'Pwned Passwords' to Check if Your Passwords Have Been Leaked Online" . Retrieved 2018-05-24.
  18. Conger, Kate. "1Password Helps You Find Out if Your Password Is Pwned". Gizmodo. Retrieved 2018-05-24.
  19. Condon, Stephanie. "Okta offers free multi-factor authentication with new product, One App | ZDNet". ZDNet. Retrieved 2018-05-24.
  20. Coren, Michael J. "The world's biggest database of hacked passwords is now a Chrome extension that checks yours automatically". Quartz. Retrieved 2018-05-24.
  21. Wagenseil I, Paul (5 February 2019). "Google's New Chrome Extension Finds Your Hacked Passwords". www.laptopmag.com.
  22. "Google Launches Password Checkup Extension to Alert Users of Data Breaches". BleepingComputer.
  23. Dsouza, Melisha (6 February 2019). "Google's new Chrome extension 'Password CheckUp' checks if your username or password has been exposed to a third party breach". Packt Hub.
  24. Li, Lucy; Pal, Bijeeta; Ali, Junade; Sullivan, Nick; Chatterjee, Rahul; Ristenpart, Thomas (2019-11-06). "Protocols for Checking Compromised Credentials". Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: ACM. pp. 1387–1403. arXiv: 1905.13737 . Bibcode:2019arXiv190513737L. doi:10.1145/3319535.3354229. ISBN   978-1-4503-6747-9. S2CID   173188856.
  25. Ali, Junade (4 March 2020). "Pwned Passwords Padding (ft. Lava Lamps and Workers)". The Cloudflare Blog. Retrieved 12 May 2020.
  26. Ali, Junade (21 February 2018). "Validating Leaked Passwords with k-Anonymity". The Cloudflare Blog. Retrieved 12 May 2020.
  27. Ali, Junade (5 October 2017). "Mechanism for the prevention of password reuse through Anonymized Hashes". PeerJ Preprints. doi: 10.7287/peerj.preprints.3322v1 . Retrieved 12 May 2020.{{cite journal}}: Cite journal requires |journal= (help)
  28. Li, Lucy; Pal, Bijeeta; Ali, Junade; Sullivan, Nick; Chatterjee, Rahul; Ristenpart, Thomas (4 September 2019). "Protocols for Checking Compromised Credentials". arXiv: 1905.13737 [cs.CR].
  29. Thomas, Kurt; Pullman, Jennifer; Yeo, Kevin; Raghunathan, Ananth; Kelley, Patrick Gage; Invernizzi, Luca; Benko, Borbala; Pietraszek, Tadek; Patel, Sarvar; Boneh, Dan; Bursztein, Elie (2019). Protecting accounts from credential stuffing with password breach alerting. pp. 1556–1571. ISBN   9781939133069.
  30. Cimpanu, Catalin. "Google launches Password Checkup feature, will add it to Chrome later this year". ZDNet. Retrieved 12 May 2020.
  31. Wang, Ke Coby; Reiter, Michael K. (2020). Detecting Stuffing of a User's Credentials at Her Own Accounts. pp. 2201–2218. arXiv: 1912.11118 . ISBN   9781939133175.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.