Credential stuffing has been in the news because it is a method of attempting to take over accounts of a company by using the databases of known breaches to ‘stuff’ thousands or millions of known credentials into an automated bot and attempting to see if they can get one or two to work. Once they work, they can take over an account.
This method has become popular is because it’s very easy and inexpensive for the threat actors to accomplish. With an investment of as little as $550, criminals could expect to earn at least 20 times the profit on the sale of compromised login credentials. You may think that if you use multi-factor authentication (MFA) that you are protected. Maybe. MFA doesn’t prevent credential stuffing, it just makes it less valuable. For example, if I try to credential stuff against a company that has MFA, I will learn which accounts had valid credentials, because my bot will tell me what credentials invoked an MFA response. Now I can do two things; I can try a targeted phishing or vishing campaign against the now known good target and see if they will send me the MFA code. Or I can look for other company assets that may not have MFA and hope for password reuse. In either case I learned important information that can escalate my attack.
How can you prevent or defend against credential stuffing? One way is to use a CAPTCHA on your application, or attempt to use an ‘I am not a robot’ however these have been defeated by bots before. If we combine this with a few other methods of prevented automated logins such as using IP blacklists, and not allowing headless browsers this will help. The strongest defense against it is to use a Bot Management service. Bot management uses rate limiting combined with an IP reputation database to stop malicious bots from making login attempts without impacting legitimate logins.
As with many other credential threats, don’t stop trying to educate users and prevent password reuse. Use MFA everywhere you can. Although it won’t stop credential stuffing, it will at least stop the account takeover provided your users don’t get phished as well. Scan your domain against the free “have I been pwned” database for domains regularly, and once you have a baseline any new entries when you run the scan, make that user change passwords immediately.
Do not forget basic security practices such as detection, and assessment. Being able to detect a compromised credential and performing regular assessments that test the quality of your user credentials are great tools to minimize damage if other protections are overcome.