The Art of a Credential Stuffing Attack

by Cymatic | Apr 16, 2019 | Cyber Security

Credential stuffing is a technique that hackers employ, to attack mostly websites, that use stolen e-mail addresses and passwords.

In 2018, it is estimated that 30 billion attempts to break into user’s accounts were made. Attackers most often targeted retail sites, video-streaming services, and entertainment companies.

Software programs are loaded with a list of the emails/usernames and passwords. The attacker then picks a site to attack. The software relentlessly tries each combination to gain access to accounts.

For instance, a list looks something like the example below

USERNAME: [email protected] PASSWORD: Password
USERNAME: [email protected]  PASSWORD: 123456
USERNAME: [email protected]  PASSWORD: football

“The extensive and constant attacks to log into and gain access to a variety of systems should be taken seriously. Companies need upgraded, realtime methods to stay ahead.”, says Jason Hollander, CEO of Cymatic Security. “Products likes ours allow companies to understand their breach risk factor and stop this type of attack before the breach happens”.

Attacks that attempt to access sites using stolen or easy-to-guess credentials are increasingly popular. In March the FBI warned Citrix that attackers breached the company’s network using a low-volume credential-stuffing attack known as password spraying. (See our blog on this topic)

The ease of credential-stuffing attacks is also driven by easy to find software, like SNIPR which is a popular, easy to use program for targeting simple sites, such as gaming networks and video-streaming services. STORM is another tool that attackers use and trade on the Dark Web.

Intuit warn users of TurboTax, in February, that the reuse of usernames and passwords has allowed attackers to compromise an unknown number of accounts.

Health insurer Humana recently began notifying an unspecified number of health plan members after detecting and blocking a credential stuffing attack against Humana.com and Go365.com.

In December 770 million email addresses and passwords shows up at a popular hacking forum. The list of usernames and passwords is 87 GB, the largest collection of breached data in history.

The reason that credential stuffing attacks are possible is that so many people reuse the same password for many different accounts. Having a different combination of email and password to login to each site means that information is less accessible to hackers.

  • How can usernames and passwords be manageable?
  • How can companies strengthen user verification without putting the onus on the user?
  • How can companies be more sniper-like when identifying which accounts might be comprised, instead of grenading everyone?

This is where Cymatic comes in.    By understanding the risk of each user (regardless of credential exposure, credential reuse or security habits), our situationally aware AI engine applies proprietary logic to automatically identify users at risk and allow companies to block, remediate or notify.  Cymatic is the only platform that looks across all user threat silos (dark web, credential hygiene, user behavior, location and device vulnerabilities) to give companies a complete and more accurate picture of user-based threats.