Credential stuffing as a form of cyberattack has been making headlines recently after it was reported that a number of Australia’s major retailers have been hit by the scam. While any industry can be targeted by credential stuffing attacks, some industries are more susceptible than others. According to Okta’s 2022 State of Security Identity Report, Retail and eCommerce are among the Top 5 targets for credential stuffing attacks.

This sort of attack is nothing new but according to some cybersecurity experts, there is a growing threat that it is increasingly becoming a favoured attack method for cybercriminals, mainly due to its ease of execution and high success rate.

What is credential stuffing?

Credential stuffing is a cyberattack technique where an attacker uses a list of stolen credentials, such as usernames and passwords, to gain unauthorised access to multiple accounts or systems. It banks on the tendency of users to reuse the same usernames and passwords across multiple online services. Attackers employ automated tools that can test thousands of stolen login credentials across numerous websites and applications, within seconds.

Credential stuffing is often confused with a brute-force attack. However, the difference between the two is that instead of trying out every possible combination of passwords to log in, credential stuffing makes use of stolen user credentials. A credential stuffing attack is thus more likely to succeed than a brute-force attack, and often bypasses account lockout mechanisms (as the correct credentials are used before the lockout limit)

How it works

Credential stuffing attacks are typically launched using automated tools that can rapidly test large numbers of already stolen credentials against a particular system or website. The attacker will typically use a list of stolen credentials, such as those obtained through a previous data breach, to try and gain access to multiple accounts or systems. This can include email accounts, social media accounts, financial accounts, and other types of online services.

Since it’s very common for consumers to reuse passwords across various platforms and online stores, it makes it easy for hackers to gain unauthorised access to multiple accounts. The number of recent data breaches in the past couple of years also means that there is a vast amount of compromised credentials available on the dark web for cybercriminals to exploit.

What are the telltale signs retailers need to watch out for?

There are a few giveaways that indicate a credential stuffing attack has been executed:

  • Repeated login attempts. One way to stop credential stuffing early is by monitoring traffic for unusual login patterns. Automated attacks might be given away by a sudden spike in login attempts for multiple accounts from abnormal geographic locations, IP addresses or other behaviour patterns associated with machine learning algorithms.
  • High login failure rates. Repetition and persistence are key characteristics of credential stuffing. Limiting the number of unsuccessful login attempts is a good way to separate human error and forgetfulness from malicious intent.
  • Dark web monitoring. Since stolen passwords are often exchanged on the dark web before they’re used for credential stuffing, monitoring the dark web to determine your exposure level can be a good preventative measure to adopt.

How can retailers prevent credential stuffing attacks?

A retailer’s key defences against credential stuffing are Multi Factor Authentication (MFA) as well as user education and sending reminders to consumers to avoid password reuse across accounts to reduce the likelihood of an attack being successful.

As thousands of credentials are used in the hope of getting at least a few right, by nature of an attack of this sort, it means there will be a number of failed login attempts. To combat this, on top of enforcing MFA, retailers should also employ timeouts and captcha after a certain number of failed attempts.

It’s critical to follow the OWASP Top 10 in how you configure your login systems as well. For example: do not give the attackers too much information on why their login failed. Rather than saying “Incorrect password” (which gives away whether the username exists in the system or not), a generic “Login error” message followed by a link to try and reset their password through an email without revealing if it is an active account in the system will slow down attackers significantly.

These aren’t, however, foolproof solutions. That’s where real-time endpoint monitoring and bot detection come into play. It seems like a no-brainer to have eyes on everything coming in and out of your network at all times, but many retailers don’t have the right tools, budget or resources to do this. Instead, they can only audit a small number of devices connected to their network at any given time, meaning they’re always one step behind attackers. For smaller teams, AI/ML has come a long way in detecting authentication abuse with a low false positive rate – ensure your team has those alerts on the top of their list.

Helping a user/consumer understand where there is strange behaviour on their account is also a very helpful mechanism without sacrificing the user experience. Sending the account owner an email when there is a login from a new device or new location with a link to report if this is abnormal shows you are taking their security seriously and giving them the right context to make better decisions around protection of their account.

In the case of credential stuffing, if retailers can see where the fraudulent log-in attempts are coming from, which attempts have been successful, what the attacker’s paths in were, and what they did once they were there, only then will retailers start to figure out the logical next steps in the attacker’s movements and stop them in their tracks before wide scale damage is done.

Retailers should also consider passwordless authentication. 81% of hacking-related breaches leverage weak or stolen passwords to gain unauthorised access.

Passwordless authentication, which includes passkeys and biometric methods have the potential to eliminate long-standing hacking methods such as brute-force attacks and credential stuffing that exploit traditional password weaknesses. Android and IOS have begun supporting this and suggesting it as you login to various supported websites – ensure your software developers are taking advantage of the mobile device passkey integrations available and configuring them to work seamlessly for your consumers.

Credential stuffing is easy to perform, so its popularity with criminals will likely increase over time. Retailers are particularly at risk because there are typically more opportunities to monetise illicit account access than with any other industry. Attackers can steal personal data, exploit saved credit cards and gift cards, or sell the whole account on the Dark Web for use by criminal organisations.

While consumers have a role to play in their password hygiene to avoid falling victim to credential stuffing attacks, the onus does not rest solely on them. Retailers must take proactive measures to enhance their security posture to protect their consumers, themselves and their own brand reputation from these attacks.

Remember that history has shown us that if there is a large-scale breach of accounts on a system, even if it’s no fault of your organisation due to credential re-use, media outlets generally have a headline with the words “breach” and “<yourcompanyname> – and the general public view it as your problem.

Lee Roebig is customer CISO at Sekuro.