At the beginning of the year, the Office of the New York State Attorney General (OAG) announced the findings of a recent investigation into credential stuffing. The OAG monitored online communities dedicated to selling stolen credentials and discovered more than 1.1 million customer accounts from 17 well-known online businesses had been compromised through credential stuffing attacks.

The study was released following a series of investigations and law enforcement actions led by the OAG aimed at protecting consumers and internet users from online identity theft and holding website owners accountable for not taking appropriate action to protect their customers from credential stuffing attacks.

Following the investigation, the OAG informed the affected businesses and each took steps to mitigate the attacks. However, the research does highlight the scale of the problem and how many organizations are suffering credential stuffing attacks without even knowing.

Credential stuffing happens when cybercriminals test stolen user credentials on websites with the aim of getting access to online accounts. Attackers understand that internet users tend to reuse the same passwords across their online accounts, so once they have one correct combination it will generally give them access to a whole host of sites.

These attacks are very easy to carry out, and through the use of bots and automation, attackers can scale their efforts, testing credentials against multiple sites at once, with very little human intervention. According to the OAG: attackers typically use free, easily accessible software capable of transmitting hundreds or thousands of login attempts simultaneously without human intervention. The sheer volume of attempts means that hackers will likely walk away with a decent number of valid username and password pairs even if most of their attempts fail. 

Once attackers gain access to consumer accounts, they can perform account takeover attacks and make fraudulent purchases using stored credit cards, steal gift cards and loyalty points, submit fake warranty claims and credit applications and commit other types of fraud — or sell the valid credentials on the dark web for others to use.

Given the ease with which bad actors can carry out these attacks, it’s not surprising that recent data shows that in the first half of 2021, credential stuffing accounted for 5% of all traffic online. Data also revealed that there were over 2.8 billion credential stuffing attacks between October 2020 and September 2021, which was a 98%  increase on the same period in the previous year.

Considering the scale of the problem and the potential costs, it’s important that organizations disrupt the web attack lifecycle, which is the cyclical and continuous nature of cyberattacks involving the theft, validation and fraudulent use of identity and account information, which leads to the abuse of website business logic and ultimately financial fraud or theft. It’s critical to protect the account and identity information of users everywhere along their digital journey. Here are the OAG’s top three recommendations to prevent credential stuffing attacks:

  • Monitor customer accounts.

Credential stuffing attackers use bots to automate the process of identifying valid credentials and this causes significant traffic spikes which are picked up by web monitoring tools. The OAG recommends that businesses use automated traffic monitoring tools, so they have round-the-clock surveillance. If traffic suddenly spikes, or failed login attempts unexpectedly peak, it’s often a sign of a credential stuffing attack.

  • Implement a bot management solution.

The OAG said that bot detection and mitigation tools are the most effective solution to safeguard against credential stuffing attacks. The report said that one restaurant chain reported to the OAG that its bot detection vendor had blocked more than 271 million login attempts over a 17-month period. Another company the OAG contacted saw more than 40 million login attempts blocked over a two-month period.

Effective bot mitigation platforms can identify bot traffic even when they are disguised, such as by rotating through multiple IP addresses or device identifiers. Solutions that leverage behavioral analysis and predictive methods can detect and stop automated credential stuffing attacks before they affect websites, web applications or APIs with unparalleled accuracy. And machine-learning algorithms evolve in real-time, getting more sophisticated as bots do.

  • Deploy WAFs, MFA, and CAPTCHAs, but not alone.

The OAG also highlights that web application firewalls (WAFs), multi-factor authentication (MFA) and CAPTCHAs are important at mitigating credential stuffing, but they shouldn’t be relied on alone. For starters, WAFs are unable to detect bots in real-time, while CAPTCHAs have become less effective over time, particularly as hacker tools have been made available to solve CAPTCHAs. When it comes to MFA, the OAG sees this as an important security mechanism, however, it can ruin the user experience, by making purchasing and login processes slower and more clunky.

Credential stuffing has become a serious problem for online businesses and consumers, and as individuals continue to use the same password across their online accounts, it’s only going to continue. As a result, online businesses must prioritize credential stuffing mitigations, not only to protect themselves, but also their customers. They can do this by disrupting the web attack lifecycle and implementing the right solutions. The OAG said that bot mitigation tools offer the most comprehensive detection and mitigation of these attacks, but businesses can also rely on traffic monitoring tools, WAFs, MFA and CAPTCHAs for additional assurance.

Uriel Maimon, senior director of emerging technologies, PerimeterX