As we reflect on the events of 2023, the question of how to mitigate credential stuffing attacks arises quickly. Reports reveal a concerning trend: the costs and impacts of data breaches caused by compromised credentials are on the rise.
The 2023 Cost of a Data Breach Report underscored a 15% increase in the average cost of a data breach globally, reaching a staggering $4.45 million. Moreover, the mean time to identify breaches remains alarmingly high, leaving cybercriminals ample time to exploit stolen credentials.
Compounding this issue is the escalating number of cyberattacks. From June to August 2023 alone, BlackBerry Cybersecurity Solutions thwarted over 3.3 million cyberattacks, highlighting the relentless onslaught faced by organizations worldwide. Stolen credentials often serve as the initial entry point for attackers, who can then move laterally and carry out different nefarious schemes.
The 2023 DBIR report examines the prevalence and impact of stolen credentials in relation to a wide variety of attack types. Despite many organizations claiming to have fallen victim to ‘highly sophisticated cyberattacks,’ the reality is often as basic as an exposed password or credential stuffing attack. The prevalence of password reuse combined with the increased frequency of data breaches, makes it easier than ever for threat actors to gain a foothold into an organization’s environment.
Exploiting stolen credentials topped the list of nefarious activities by cybercriminals, occurring in over 40% of the reported 4,354 incidents. This trend reveals the persistent vulnerability of users and organizations to such attacks, suggesting a lack of significant steps to counter them.
Credential stuffing is an attack method in which attackers use automated scripts or tools to systematically input (“stuff”) stolen credentials into various websites or online services in an attempt to gain unauthorized access.
The reason it’s so successful is that the majority of users reuse credentials across accounts and devices. This unfortunate reality means one data breach of user credentials or passwords can threaten many organizations and many people at once.
The central question irking IT administrators is of course, how to defend against these attacks. First of all, Multifactor Authentication (MFA) isn’t a silver bullet. Reports like Verizon’s DBIR and IBM’s Cost of a Data Breach revealed a startling trend: MFA, although incrementally more secure, is not invincible. MFA can be defeated via session hijacking or cookie theft, which has been increasing in recent years. Pair compromised credentials with session hijacking, and you got yourself a data breach.
Addressing the scourge of credential stuffing requires a multifaceted approach grounded in education, protection, detection, and response.
Passwords aren’t going away any time soon, and it’s quite unlikely human behavior will change in an abrupt way when it comes to them, either. The reality of the threat landscape demands that we meet users where they are, and address problems from a hyper-practical standpoint.
For organizations looking to take steps in the direction of mitigation, there are fortunately many tools at your disposal. The ethos of Defense in Depth will help here, as creating a layered security strategy is of great utility.
While there is no single way to prevent credential stuffing attacks, applying a layered approach gives organizations the confidence that credential stuffing attack success is significantly reduced, without negatively impacting the user experience.
Recognizing that a single compromised credential can precipitate a broader security disaster, organizations must prioritize defending against credential stuffing attacks. By screening for weak, reused, and compromised credentials, organizations can significantly reduce the risk of successful attacks without compromising user experience.
To learn more, review the paper, “A Guide to Mitigating Credential Stuffing Attacks”.
AUTHOR
Bronwen Hudson
Bronwen is a technical writer, community manager, and technology enthusiast. When she’s not reading and writing she can be found playing roller derby, talking about roller derby, and thinking about roller derby!