Latest credential-stuffing breaches underscore ongoing payments pain

The General Motors logo is displayed at a Chevrolet dealership on Aug. 4, 2021, in Burbank, Calif. (Photo by Mario Tama/Getty Images)

Credential-stuffing attacks have been on the rise in recent months, as underscored by two major attacks this week. Payments and financial firm CISOs are struggling to unpack how they can reduce the risk of the particularly harmful threats.

Online wedding planning upstart Zola confirmed earlier this week that a credential-stuffing attack had impacted a number of their customers’ accounts, allowing the perpetrators to clear out all the money in some accounts and illegitimately use the credit cards and gift cards linked to other accounts. Zola said in a public statement that fewer than 0.1% of all of its accounts were actually hacked, but would not share the actual number of affected users.

Richard Dufty, chief commercial officer at Arkose Labs, boldly described credential stuffing as “an attack that CISOs fear most and struggle to prevent [because] it is a precursor to account takeovers and because credential stuffing typically is a volumetric attack.”

“[This is] happening at scale to the point that it can overwhelm a business’s entire security team,” Duffy said.

Credential-stuffing attacks were 30% higher in the first quarter of 2022 than the average over the past two years (across various sectors), according to Arkose Labs’ latest attack-trend report, the Q2 2022 State of Fraud & Account Security

Credential stuffing — wherein crooks use legitimate usernames and passwords that have been exposed or stolen to access accounts on different websites where the same credentials are reused — very quickly reared its ugly head again this week.

The day after breach of the Zola user accounts became public, it was reported that customers of  General Motors had also been victim to credential-stuffing attacks last month. Using credentials collected from sites and applications outside of GM, bad actors had compromised the Big Three U.S. car maker’s online bill payment and rewards access for more than two weeks in April, GM confirmed. Again, the "credential stuffers" in question specifically targeted the financial and payment data and accounts of legitimate customers.

“With the recent attack on wedding planning startup Zola, and now GM, credential stuffing attacks continue to fuel the web attack lifecycle, potentially using these stolen user credentials on other e-commerce sites,” said Uriel Maimon, vice president of emerging products at PerimeterX. “We can expect that these credentials will soon be tested on other apps that we use daily to power our lives.”

Hence, the core problem with credential stuffing is that it is not only hard to weed out — given that legitimate user credentials are being utilized by the bad actors — but these are typically not one-and-done attacks. As both Dufty and Maimon pointed out, these are going to be largely repeated offenses, ones which payments companies and financial credit, debit and gift card issues may have to cover.

Once cyber criminals have access to accounts, they can purchase goods, cash in loyalty points, sell the credentials on the dark web, or even take out lines of credit, according to Maimon. According to PerimeterX’s research, malicious login attempts as a percentage of total trended upwards during 2021, reaching a staggering 93.8% of all login attempts in August, he added.

Dufty said credential stuffing attacks can cause “financial drain” through the costs associated with remediating the attack itself, damage to operational efficiency and unquantifiable downstream costs. Larger companies can spend more than $2 million per year in call center costs helping companies reset passwords. For financial and payment companies that have a responsibility to cover fraud losses legitimately incurred by their customers, there’s another burden to bear with credential stuffing attacks.

But as long as online users keep recycling usernames and passwords and not using multi-factor authentication (and companies do not require it), the question of how to roll back the tide of credential stuffing will remain open.

Maimon said that the responsibility should lie with the application providers and website owners to “make it difficult and expensive for cybercriminals to use the information in order to disrupt the cycle of attacks. This means stopping the theft, validation and fraudulent use of account and identity information everywhere along a consumer’s digital journey.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.