Credential stuffing is making headlines after New York Attorney General Letitia James announced the results of a sweeping investigation into cybercrime. That investigation by the Office of the Attorney General (OAG) of New York unearthed more than 1.1 million online accounts that had been compromised in cyberattacks at 17 well-known companies This is a good example of the danger that businesses are in from password problems and the ease with which cybercriminals can use that against them with data from the dark web.

The Open Web Application Security Project (OWASP) defines credential stuffing as “the automated injection of stolen username and password pairs (“credentials”) into website login forms, in order to fraudulently gain access to user accounts” further defining it as a subset of the brute force attack category. In other words, cyber criminals throw spaghetti at the wall until they find something that sticks, which means gathering stolen usernames and passwords from dark web sources and trying them rapid-fire at a login portal until they hit the jackpot.

Credential stuffing is dangerous because it is relatively easy to pull off. It’s not a highly skilled operation nor is it expensive to get set up in an operation. Tools can be bought or obtained for free easily. In this scenario, instead of cybercriminals taking the time to obtain password aggregations and try to find the golden ticket to a website they’d like to get into, they just have to use an automated tool to flood its login portal with known compromised credentials until something clicks and those aren’t hard to find. Historically, credential stuffing has a low success rate, with estimates of success ranging between one to three percent, but that isn’t much of a deterrent.

The New York Attorney General’s statement notes that there are 15 billion stolen credentials in circulation on the internet today or about 100 passwords per average adult floating around on the dark web. That pool is constantly growing, gaining information that cybercriminals can use. When giant dumps of fresh passwords from events like the RockYou 2021 leak hit a dark web dump or the user records of 700M LinkedIn users pop up in a dark web forum, cybercriminals receive ammunition that can be used in future credential stuffing attacks. Plus, credentials are the most desirable data for bad actors to snatch in a data breach.

Most Prevalent Types of Data Stolen in Breaches, by Verizon Data Breach Investigations Report 2021     

• Credentials: 60%
• Personally-Identifying Data (PII): 40%
• Medical Data: 10%
• Bank Data: 10%
• Internal Data: 10%
• Payment Data: 10%

Source: ID Agente