Understanding and preventing credential stuffing attacks
Stolen Credentials
A credential stuffing cyberattack uses username and password credentials stolen in a data breach to gain access to your accounts. We explain how it works and how to prevent yourself from becoming a victim.
The good citizens of the Internet are frequently reminded that their passwords should contain a sufficiently complex combination of alphanumeric and special characters and, of course, meet or exceed a minimum length. Confusingly, the precise criteria for both is entirely dependent on which online service you use.
While security is everybody's responsibility, what should you be most concerned about if an online service lets you down and leaks your credentials, either through a malicious attack or simply through incompetence? The answer is twofold.
The first part of the answer depends on whether the online vendor informs you of the data breach straight away. I had my credentials stolen about a decade ago from a website that I had used once (around 2010, I think). The vendor reported the leak to a government department that did not make the breach public for a number of years afterwards, for reasons that I still don't find convincing. When I found out about the breach in 2014, I was horrified and immediately changed my password, eventually getting the vendor to completely close the account. Thankfully, only my name, age, postal address, email address, and order history were exposed, but potentially that's quite enough for identity theft.
The second part of the answer lies in your responsibility to ensure that you use unique passwords for each online service. Even if you change your password after a data leak, you are only protecting yourself on one service (who is hopefully running with heightened security, post-compromise). The bad news is that even if you keep passwords unique per service but reuse a pattern for your passwords across multiple online services, then you are still at risk. For example, penetration testers and attackers alike will try a capital letter at the start of passwords as it is so common.
In this article, I will look at how attackers abuse the valuable data often made available on the dark web after a data breach – using automated bots in many cases. I will explore credential stuffing and explain how it differs from password spraying. Importantly, I will show you how to protect your online accounts against such nefarious attacks.
What Does the Data Look Like?
Before looking at one of the tools used by attackers for credential stuffing, let's have a look at the kind of data that gets passed around after a successful data breach. One website that offers both free and paid access to such datasets is a European search engine called Intelligence X [1] (see also the "OSINT Tooling" box). At the time of writing, the splash screen informs visitors that it currently has "110,768,706,582 records" available and refers to its service as being able to "Search Tor, I2P, data leaks, public web [...]."
OSINT Tooling
It is also worth mentioning that under the Tools menu on its website, Intelligence X provides a number of very useful ethical hacking tools that fall under the Open Source Intelligence (OSINT) category. According to the SANS Institute [2], OSINT "is the collection, analysis, and dissemination of information that is publicly available and legally accessible."
The available tools include email address lookups, people searches (Figure 1), phone number checks, location finding, image searches, and the ability to find files, to name but a few. That's a bookmark worth saving.
The search terms that can be used are notably powerful and include domain names, URLs, IP addresses (and CIDRs), and even Bitcoin addresses. In Figure 2, you can see the redacted output if I search for intelx.io within Intelligence X's search results.
For its own domain name, the search output dutifully reports "Found 446 Text Files, 372 Website HTMLs, 23 Pastes, 6 CSV Files, 3 Database Files, 2 PDF Files, 1 Domain." That's a lot of information, and remember, this is not hiding cloaked in secrecy on the dark web. Instead, it is fully available to anyone able to use a search engine.
If I drill down into one of the files containing breach data, I am prompted to sign up. The choices are either 50 free daily lookups or 200 daily lookups using a paid Researcher account (EUR2,500 a year), along with a number of other features.
The Intelligence X website also provides a detailed blog, along with excellent examples of the type of data that I will cover shortly. One post from 2020 [3] refers to a dataset from a breach containing:
- 160GB of data
- 10+ million selectors
- 29,791 active
.gov
domains - 13,208 active
.mil
domains
Intelligence X's web crawlers apparently only took 24 hours to gather that volume of data, which is as staggering as it is worrying. The blog mentions neatly storing such data within a new category that the site recently created to encompass all public data from .gov
and .mil
domain names. This level of data capture hopefully illustrates the pace at which large datasets can be created and made available to attackers.
Data, Data, Data
Now that I've covered accessing data breach content from freemium services, I'll move on to a sample breach file from the 000webhost data breach (named after the compromised company involved), which can be easily found on Daniel Miessler's GitHub page [4]. I'm confident, however, that this file is also available from multiple locations online if you look for it. Listing 1 shows the first 10 lines from Miessler's sample 000webhost data breach file. This data breach [5] affected a gobsmacking 13 million users in 2015.
I will use the passwords from Listing 1 as a test example to explain credential stuffing. (If you are not keen on using these, Miesler's GitHub account [6] provides other options.)
Listing 1
000webhost Breach File Excerpt
1qaz2wsx 306187mn rados1 newyork911 abc123 taqiyudin100587 wjr5443 nana0428 1992jp bahamut24ritter
Putting the Parts Together
Imperva [7], the cybersecurity company, explains credential stuffing as "a cyberattack method in which attackers use lists of compromised user credentials to breach into a system. The attack uses bots for automation and scale and is based on the assumption that many users reuse usernames and passwords across multiple services." It is worth repeating again: Reusing passwords for multiple services helps attackers with their goals when it comes to credential stuffing.
What I haven't said is probably the scariest part, however. One of the reasons why credential stuffing is so successful is because of the way that online services protect themselves against a user entering their password incorrectly on multiple occasions.
Most people will be familiar with the dreaded "Your account has been locked, please contact Support" message seen after getting their password wrong three times. When it comes to reusing credentials from a breach, attackers are clever and will only try a username once or twice with a password before moving on to the next username in order to avoid locking out lots of accounts and potentially raising an alarm. This is only possible at scale due to the massive amount of data from breaches available online. By making use of automated bots, it's possible to simply feed them with ongoing content (in the form of usernames and passwords) until they successfully log into an account.
So far, I only have passwords from the 000webhost breach data, but I obviously need usernames or, more commonly, email addresses that are used as usernames, in order to try and log into an online service. Miessler's GitHub repository also has a mountain of usernames available [8], including lists of popular male [9] and female names to try in the username field during an attack.
You can try password lists to successfully stuff credentials into an online service's login page, but you need valid usernames or email addresses for that particular service to have a much better chance of success. Otherwise, there is little point in trying a couple of passwords per user if that account definitely doesn't exist.
This is where OSINT comes in and indeed tools such as Intelligence X. It is possible to discover endless email addresses if you look hard enough for users of a particular site. I'm not saying this is necessarily accurate, but a banner appearing on the Intelligence X splash page, shortly after saying how much Intelligence X respects privacy, mentions that Facebook sells user data to third parties. As you can imagine, that is an online service with a massive dataset that you could search through for valid users. Plus, even on the earlier searches for .gov
and .mil
domain names, email addresses were displayed – more commonly for teams rather than individuals, admittedly, but you get the idea.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome Fans Everywhere Rejoice for the Latest Release
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.