F5 annual Credential Stuffing Report 2021 indicated that credential spill incidents nearly doubled from 2016 to 2020. Contrarily there was a recorded 46% reduction in the volume of credentials spilled during the same period.
Credential stuffing involves exploiting compromised username and/or email and password pairs to perform account takeovers. The report found that credential stuffing attacks became the preferred intrusion method instead of HTTP attacks.
The researchers analyzed 9 billion credentials obtained from thousands of data breaches and posted on dark web forums at the start of January 2019.
They also studied 72 billion login transactions of customers from four Fortune 500 organizations, including two banks, a retailer, and a food and beverage company. F5 researchers used Shape Security technology to ‘trace’ the stolen credentials from when they were pilfered, sold, and used.
Key findings of credential stuffing report
Since 2016, the average spill size fell from 63 million to 17 million in 2020. The same period recorded a median spill size of 2 million, a 234% increase from 2019, and the highest since 2016 (2.75 million).
The storage of plaintext passwords was responsible for most credential spills at 42.6%. Unsalted SHA-1 passwords followed at about 20%, bcrypt 16.7%, salted SHA-2, 0.8%, and MD5 at 0.4%. Surprisingly, using MD5, which is known as a weak algorithm, was still common but responsible for fewer spills.
Organizations were also slow in detecting cyber intrusions, with an average time for discovering credential spills being 327 days. The median time was 120 days, while the longest period was six and a half years (2,335 days). Stolen credentials were usually detected on the dark web before the affected organizations disclosed the breach.
The report also found that sophisticated attackers were using fuzzing techniques to increase credential exploit success rate. They repeatedly tested parsers with modified inputs to discover vulnerabilities.
Additionally, stolen credentials were frequently used for legitimate transactions and attacks. About 900 million compromised credentials were used for transactions and attacks on four websites.
Similarly, compromised credentials were used for transactions at two monitored banks at 34% and 24%, respectively. They were also used at the monitored retail business and the food and beverage outlet at 10% and 5%, respectively.
Five phases of stolen credentials’ abuse
The F5 report suggested that there are five phases for abuse of stolen credentials.
Slow and quiet: threat actors stealthily exploited compromised credentials for a month before disclosing the breach. Each credential was exploited on average 15-20 times daily across four websites.
The ramp-up: Within 30 days before the public announcement, usernames and passwords started circulating on the dark web. The number of attacks per day increased as more attackers accessed the stolen credentials.
The blitz: Amateur threat actors such as ‘script kiddies’ began exploiting the credentials across various web properties. Each user account experienced an average of 130 attacks per day.
The drop off/new equilibrium: Each username experienced about 28 attacks per day after the first month. Novice attackers continue targeting high-value web properties using stale credentials.
Reincarnation: Criminals repackaged a subset of valid credentials extending their shelf life.
The report authors noted that credential stuffing attacks would continue to pose significant risks as long as users are required to log into accounts.
“If you are worried about getting hacked, it’s most likely going to occur from a credential stuffing attack,” said Sara Boddy, senior director of F5 Labs.
Mitigating the risks associated with credential stuffing attacks
The credential stuffing report posits that “there are two types of companies—those that acknowledge the threat of credential stuffing and those that will be victims of it.”
Promoting the use of unique passwords would help reduce the risk of account takeovers through credential stuffing, according to F5.
The researchers also advised organizations not to limit the length of passwords (entropy) that users can create. This limitation reduces the number of possible combinations, leading to weak passwords.
Preventing users from recycling compromised passwords would also protect accounts from credential stuffing attacks.
Similarly, reducing feedback on failed logins prevents attackers from knowing which element of the credentials is incorrect. For example, notifying users that “that username does not exist” during failed login attempts helps them modify their attacks.
Monitoring login patterns, success rates, and location changes, and extending signal collection beyond a single organization, would also help to block attempted credential stuffing attacks.
“The recent report from F5 on the state of credential theft volumes and their use in cyberattacks over the last four years is interesting, and shows many organizations are still not following industry best practices for securing user credentials,” says Saryu Nayyar, CEO of Gurucul.
She noted that credential theft was expensive in terms of lost revenues, mitigation costs, and the loss of customer trust, which could not be determined.
“Preventing or blunting attacks before they lead to a major breach is generally much less expensive than suffering the fallout from an attack,” Nayyar continued. “By following best practices and making sure the organization’s security stack is up to date, including MFA, security analytics, and other technical measures, organizations reduce their risk of being breached in the first place, and can prevent extensive damage.”
“These statistics paint a useful picture of the crisis we’re in, but they also show that too many organizations are still running ad hoc and expanding the problem because they don’t know in a timely way when breaches happen,” lamented Chloé Messdaghi, Chief Strategist at Point3 Security.
Messdaghi says that organizations should enforce stricter password policies to protect the organizations and the users. She warns users against reusing passwords across accounts.
Users should also utilize password managers, and enable both SMS and app-based multifactor authentication.
“Third, security must be embedded during site development. If an organization is using open source code, they need to invest in scanning to ensure that it’s safe, and remember that anything you use for free needs an investment behind it.”
She also advises companies to invest in detection tools, backups, and encryption, all of which are crucial during the software development process.