Credential stuffing: What is it and why you should worry about it
Hint: There’s a reason employees not taking security policies seriously enough remains a significant challenge for security professionals.
We’ve all heard (and heard again, and then read about, and then deleted fifteen e-mails referencing it) the myriad breaches resulting in the exposure of billions (yes, that is a “b”) credentials over the past year and more. And while we’re likely all aware that those credentials being out in the wild on the black market is a threat, many may not understand exactly why. These are personal accounts, for the most part, spread across “social media” sites like LinkedIn and Twitter.
It’s the combination of poor security habits with those breaches that should be cause for concern. It’s given rise to a newish practice called “credential stuffing” and represents an existential threat to every organization.
In 2016 alone, we learned that more than a billion sets of credentials were exposed thanks to breaches:
Another Day, Another Hack: 117 Million LinkedIn Emails And ... (May 2016)
Passwords for 32M Twitter accounts may have been hacked and ...(Jun 2016)
Yahoo hack: 1bn accounts compromised by biggest data breach in ... (Dec 2016)
Most people, when informed they’ve been the victim of such a breach, rush out and change the impacted password. Good on them. That’s what they should do.
And what organizations should do, but likely don’t, in response to such a breach is require a change of corporate passwords, too.
Let me explain why.
Credential stuffing takes advantage of the vast pools of exposed credentials from breaches like those mentioned above to attempt to breach other systems. Like corporate systems, where the value of data and resources really adds up. Because of poor security habits – like reusing passwords and user identities – these attacks have a better chance at succeeding.
Really, it’s a pretty good chance if you look at the statistics around password reuse. For example, back in 2012, one survey1 found that “More than half of respondents (61%) admitted to reusing the same password for multiple sites.” Fast forward to 2015 and that percentage got worse. “According to a new report, nearly 3 out of 4 consumers use duplicate passwords, many of which have not been changed in five years or more.”
The more recent survey goes on to note that “about 40 percent of those surveyed say they had “a security incident” in the past year, meaning they had an account hacked, password stolen, or were given notice that their personal information had been compromised.” Not surprising in the least.
Bad actors know this. They know that circumventing security is as much about understanding the habits of consumers as much as it is technology. And by combining the two, they’re able to more effectively brute force their way into user accounts through web applications. They basically reuse credentials exposed by breaches instead of generating them algorithmically. Given the aforementioned statistics regarding the reuse by consumers, it’s got a fair chance of success.
So, what can you realistically do about this problem? After all, you really can’t stop consumers – they’re also you’re employees – from reusing credentials or passwords.
First, make sure your developers and ops teams understand the threat. A good place to start is at OWASP, which is always a good place to start when digging into the technical side of web app security.
Second, give serious consideration to forcing password changes after a significant breach of an external site which may be frequented by a large percentage of your employee population.
Lastly, check with your web application firewall vendor to see if there’s an automated protection you can put in place against such an attack.
Mostly, remain vigilant about enforcing secure password policies and regular changes. Users hate that (I know I’m not a fan) but increasingly one of the best protections you have against a breach is good credential management.
Stay safe out there!
[1] http://www.csid.com/wp-content/uploads/2012/09/CS_PasswordSurvey_FullReport_FINAL.pdf