Credential stuffing attacks on enterprises are soaring according to a recent study conducted by Shape Security. The massive data breaches at the likes of LinkedIn, Yahoo, MySpace have provided cybercriminals with passwords aplenty and those passwords are used in these automated brute force login attempts.
Organizations that have discovered data breaches rapidly force password-resets to prevent criminals from gaining access to users’ accounts; however, stolen passwords can still be incredibly valuable. A study conducted by Microsoft in 2007 suggested that the average computer user has 25 accounts that require the use of a username and password, while Sophos suggests users have an average of 19 accounts.
Password managers can be used to help individuals remember their login credentials, but many people have not signed up for such a service. To remember passwords people just recycle them and use the same password over and over again. Cybercriminals are well aware of that fact and use stolen passwords in credential stuffing attacks on websites and mobile applications.
Shape Security suggests that for many enterprises, 90% of login traffic comes from credential stuffing attacks. Those attacks can be highly effective and since they are automated, they require little effort on the part of the attacker. A batch of passwords is purchased from any number of sellers and resellers on darknet marketplaces. A target site is identified and an automated script is developed to login. The criminals then scale up the assault by renting a botnet. It is then possible to conduct hundreds of thousands of login attempts simultaneously.
Many of the stolen credentials are old, so there is a high probability that passwords will have been changed, but not always. Many people keep the same passwords for years.
The success rate may be low, but the scale of the credential stuffing attacks gives cybercriminals access to hundreds of thousands of accounts.
Shape Security researchers suggest the success rate of these attacks is around 2%. To put this into perspective, if the passwords from the Yahoo data breach were used in credential stuffing attacks, which they almost certainly are, a success rate of 2% would give criminals access to 20 million user accounts.
There is certainly no shortage of passwords to attempt to use to gain access to accounts. According to the report, more than 3 billion username and password combinations were stolen by cybercriminals in 2016 alone. That would potentially give the attackers access to 60 million accounts.
These attacks are not hypothetical. During a 4-month observation period of just one major U.S. retailer in 2016, Shape Security discovered that 15.5 million attempted logins occurred. Even more worrying was that more than 500,000 of the retailer’s customers were using recycled passwords that had previously been stolen from other websites.
Additionally, as a recent report from SplashData has shown, weak passwords continue to be used. The top 25 list of the worst passwords in 2016 still contains very weak passwords such as 123456 and password. These commonly used passwords will also be attempted in brute force attacks. SplashData suggests as many as 10% of Internet users use at least one of the passwords in the top 25 worst password list.
These studies highlight the seriousness of the risk of recycling passwords and send a clear message to organizations: Develop mitigations to prevent the use of stolen credentials and ensure that password policies are developed and enforced.