There are a lot of headlines around data breaches and how billions of user credentials (usernames and passwords) have been exposed publicly over the last few years. The natural question that comes up is “what do cybercriminals do with these stolen credentials?” Well, apart from using them to attempt logins to the breached website itself, the second most common thing cybercriminals will do with stolen credentials is to use them in an attack called “credential stuffing.”
Credential stuffing is a fairly straightforward technique whereby an attacker will use an automated script or application to iterate through their list of stolen credentials, trying each credential against a target web application or list of applications. Whenever a successful login is found, it is recorded for later use. The reason this works is an estimated 55% of users use the same credentials on most, if not all, of the accounts they create.
Let me illustrate further with an example: Jane has a LinkedIn account. Her account credentials were exposed in the massive LinkedIn breach from a few years back. Unfortunately for Jane, she happens to be one of the 55% of users who are reusing the same credentials on pretty much every website she has an account on. After the LinkedIn breach goes public, LinkedIn makes Jane reset her password. However, Jane doesn’t realize that she needs to update her password not just on LinkedIn, but everywhere else she is using it (or perhaps she does, but with an average of 90 online accounts per user, it’s likely she missed some).
Enter Jake. Jake has gained possession of the LinkedIn list of stolen credentials and is a budding cybercriminal. Using an application called Sentry MBA, Jake sets up the LinkedIn list and looks for hits against his favorite shopping site, Amazon. As it so happens, Jane has the same credentials on Amazon as she did on LinkedIn and has left her credit card tied her account. Once Jake has his list of hits, he starts logging into Amazon accounts looking for ones with home addresses in the same town as him. He happens upon Jane who fits the bill. The next thing you know, Jake has ordered some pricey items using Jane’s Prime account and lies in wait outside Jane’s house the day of delivery to snatch the parcels once they are delivered, all before Jane even knows the order was placed.
This is just one example of a credential stuffing attack and the negative outcomes that can follow. Imagine if instead of focusing on Amazon, Jake had instead tried to use those credentials to log into Jane’s employer’s corporate account.