The Chick-fil-A fast food chain recently confirmed that it suffered a monthslong credential stuffing attack that compromised user accounts. The attack gave hackers access to the personal information and rewards balances of Chick-fil-A customers. The information was being sold on the dark web for up to $200 depending on the payment methods associated with the account and the rewards balance.
Credential stuffing attacks have long been popular among hackers. Although the attacks have a low success rate — only about one cracked account out of 1,000 attempts — hackers make up for it with volume. According to a report from Okta, there were almost 10 billion credential stuffing attempts in the first quarter of 2022 alone. If .1 percent were successful, 10 million accounts were compromised.
What’s more, credential stuffing attacks account for 34 percent of login attempts across all industries. Retail/e-commerce has the highest rate of credential stuffing, which accounts for 80 percent of login attempts.
The Chick-fil-A attack is fairly typical. Hackers use credential stuffing to obtain merchandise, rewards points and information they can sell on the dark web. A report from Recorded Future finds that stolen credentials have become big business as payments from ransomware attacks have dropped.
What Is Credential Stuffing?
When people think of an account takeover, they generally think of a hacker attempting to access a single account with multiple passwords. That is a brute force attack, which can be detected after a certain number of failed login attempts.
A credential stuffing attack involves multiple login attempts on multiple accounts, using credentials typically obtained from the dark web. Because login attempts are sprayed across many systems over a longer period of time, credential stuffing attacks are more difficult to detect and prevent.
Why is this approach so effective? A recent report from SpyCloud found that 64 percent of users use the same or similar passwords across multiple accounts. They don’t even change their passwords when they find out they’ve been exposed in a reported breach — 70 percent continued to use compromised passwords a year later.
In a nutshell, if hackers steal someone’s credentials from one account, there’s an almost two-thirds chance they’ll be able to use those credentials to access another account. Once an account is accessed, hackers steal personal data and use that information to commit fraud and carry out other high-value attacks. They’ll then dump all the credentials they’ve harvested onto the dark web and the process starts again.
How to Reduce the Risk
The sad fact is that decades of poor password practices won’t suddenly change. Organizations need to establish and enforce a password policy, and implement multifactor authentication to reduce reliance on passwords alone. It’s also important to leverage dark web research to find mentions of the organization and its employees and determine if any related user accounts are for sale.
Of course, all the policies, security tools and dark web research in the world won’t stop every attack, so credential stuffing attacks should be covered in the organization’s incident response plan. If an account is hacked, what data and assets will be exposed? Does that account require access to that information or should access be limited? What fraud detection controls can be used to detect and stop fraudulent financial transactions? What are the processes for validating accounts, resetting credentials, addressing legal and regulatory obligations, and communicating with affected parties?
Although credential stuffing is a serious threat, many attacks can be stopped with the right combination of policy, process and technology. Let us help you improve in all three areas to improve your ability to prevent and respond to credential stuffing attacks.