Okta spots ‘unprecedented’ spike in credential stuffing attacks

Okta Verify mobile app is seen

Identity and access management service provider Okta warned of what it described as an “unprecedented” surge in credential-stuffing attacks against online services.

In an April 27 advisory, Okta said the increase in credential-stuffing attacks its threat researchers observed over the past month was facilitated by the broad availability of residential proxy services, “combo lists” of previously stolen credentials, and scripting tools.

In a “small percentage” of cases, the attacks it observed against its customers resulted in successful credential authentication, Okta said.

The warning was issued just over a week after Cisco raised the alarm about a related spike in global brute-force attacks against a range of targets, including VPN services, web application authentication interfaces, and SSH services.

Credential stuffing involves hackers attempting to sign-in to online services using maliciously obtained lists of usernames and passwords.

While the stolen credentials used in such attacks are usually not linked to the site being attacked, the threat actors play a numbers game. They work on the assumption a small percentage of the username/password combinations will be replicated in the services they are attempting to breach.

The Okta researchers said the spike in credential stuffing activity they observed appeared to originate from infrastructure similar to that used in the attacks described by Talos, Cisco’s cyber threat intelligence organization.

The earlier advisory from Talos warned of brute-force attacks affecting services from several vendors including Cisco, Check Point, Fortinet, SonicWall and Ubiquiti.

“All recent attacks we have observed share one feature in common: they rely on requests being routed through anonymizing services such as TOR,” the Okta advisory said.

“Millions of the requests were also routed through a variety of residential proxies including NSOCKS, Luminati and DataImpulse.”

The Okta researchers explained that residential proxies were managed networks of legitimate user devices used to route traffic on behalf of a paid subscriber.

“The net sum of this activity is that most of the traffic in these credential stuffing attacks appear to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers.”

Residential proxies represent a growing threat, Orange Cyberdefense said in a recent post. While there were some legitimate uses for residential proxies, some threat actors had “heavily abused” the services that provided them, the post said.

The Okta researchers offered several recommendations to mitigate the risk of accounts being compromised through credential-stuffing attacks. These included enforcing multi-factor authentication and strong password policies, denying login requests from locations where a company did not operate, and monitoring and responding to suspicious login behavior.

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.