compromised credential attacks

Compromised credential attacks are a kind of cyber-attack in which malicious actors use lists of compromised credentials to attempt to log into a wide range of online accounts. The goal of the attack, like so many others, is to steal personal/financial information from the compromised account or to take it over altogether. Because authentication is typically achieved via APIs, this kind of attack is a significant threat to API security.

Compromised credential attacks rely on the fact that many people use the same password across multiple accounts. When an organization is hit with a large-scale credential stuffing attack, there isn’t much it can do beyond disabling accounts and requiring users to change their logon credentials.

This post looks at how compromised credential attacks work and what can be done to avoid them.

How do compromised credential attacks work?

In many ways, compromised credential attacks are similar to brute-force attacks, but they differ in a few key ways. In a brute-force attack, the attacker uses an application to automate the cracking of the password by trying many thousands of possible passwords per minute.

Credential stuffers, on the other hand, already have a list of previously cracked and de-hashed passwords that were compromised through various means, such as data breaches, phishing, malware or keyloggers, etc.

In a compromised credentials attack, the attackers won’t manually attempt to log into all the accounts on their lists. Instead, they use an automation tool referred to as  brute-force checkers — small applications that automate logging into the accounts, typically from varying IP addresses, to provide some obfuscation to the attackers.

These checkers can use leaked usernames and passwords to attempt logins on many different sites, apps, and services. Because many people use the same password across multiple accounts, attackers can break into any accounts that share a password. These tools can also automatically steal the user’s personal/financial information, adding value to the compromised credentials.

Risks of compromised credentials attacks

The risks associated with compromised credentials attacks are the same as those associated with someone obtaining your credentials for a given account. An ill-intentioned person armed with your valid credentials could:

  • Lock you out of your account
  • Steal your personal/financial information
  • Deface your account/page
  • Modify your information
  • Make purchases in your name
  • Shut down your account
  • Sell your credentials on the dark web
  • Send messages in your name (if it’s an email or messaging account)
  • And more…

You can add anything related to an online account takeover to the above list.

Common attack flow scenario

In a typical compromised credential attack, the attackers could proceed as follows:

  1. The attackers would start by performing reconnaissance of their target and its API to study it, understand how it works, and identify any flaws they may exploit.
  2. They would also get their hands on lists and databases of previously compromised passwords — many of which may still be valid.
  3. The attackers then configure their automation tool, which will be throttled, to feed the compromised credentials in a way that mimics regular human or business activity.
  4. Once the automation tool is properly configured, they launch an attack against the login API, usually from various locations, to avoid detection.
  5. The attackers then track their login successes and failures.

Examples of compromised credential attacks

Compromised credential attacks are relatively easy to pull off insofar as one doesn’t need extensive programming skills to mount one. Because of that, compromised credential attacks are pretty common.

23andMe

In late 2023, the genetic testing firm 23andMe confirmed that data relating to millions of its customers had been stolen as a result of a credential stuffing attack. The stolen data included names, profile photos, gender, date of birth, genetic ancestry results, and geographical location.

A 23andMe spokesperson suggested that users’ login credentials “may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.”

PayPal

In December 2022, thousands of PayPal accounts were compromised in a compromised credential attack. Breaches of other, unrelated, sites gave attackers access logon credentials that they subsequently used to access almost 35,000 PayPal accounts.

Nevertheless, PayPal said that it had no information suggesting that the customers data was “misused as a result of this incident.” Users targeted by the attacks were offered a free two-year subscription to Equifax’s identity monitoring service.

Note that PayPal users can easily prevent compromised credential attacks by activating two-factor authentication (2FA) in the “Account Settings” menu.

Nintendo

In 2020, Nintendo fell victim to a compromised credential attack that compromised over 160,000 user accounts. In this case, the checker tool was able to extract billing and account information, including their credit card type (Visa, MasterCard, etc.), their credit card expiration date, as well as the first six digits and the last four digits of their credit cards.

This attack resulted in thousands of Nintendo customers having their accounts taken over, and many also incurred some financial losses.

Zoom

Also in 2020, Zoom was hit with a compromised credential attack that compromised 500,000 Zoom user accounts. In this case, the attackers scraped or purchased lists of compromised credentials from previous breaches dating back to 2013.

Suspecting that many, if not most, reuse the same passwords on many online accounts, the attackers’ checker was able to confirm that at least 500,000 Zoom users were in this unenviable position.

Marriott International

In 2020 yet again, Marriott International suffered a massive data breach as a result of a compromised credentials attack. This breach compromised the accounts of 5.2 million Marriott customers, exposing their contact information, gender, date of birth, and loyalty account information.

The attacker used the login credentials of two Marriott employees, presumably obtained through a mix of phishing and credential stuffing, to collect Marriott customers’ information for an entire month before raising suspicion.

Uber

In October 2016, ride-sharing service Uber suffered an even bigger data breach that exposed the personal information of 57 million Uber users and drivers. It took Uber over a year to disclose the breach. It even went as far as paying the hackers responsible for the breach a cool 100K to delete the data and keep the breach quiet.

Wow — that’s not exactly the definition of “responsible”… The breach exposed the names, email addresses, and phone numbers of Uber customers and drivers and the license plate numbers of roughly 600,000 drivers.

How to defend against compromised credential attacks

The way to defend against compromised credential attacks will depend on whether you’re an organization or an internet user. We will, of course, cover both.

For organizations

Force the use of multi-factor authentication (MFA)

A large part of the success of compromised credential attacks relies on human error, reusing the same passwords on multiple accounts, creating weak passwords to begin with, or both. Multi-factor authentication is one of the best ways to mitigate human error.

MFA or 2FA (multi-factor vs. two-factor) requires something you know (your credentials) and something you have (a device providing a one-time password (OTP)) for you to be authenticated and allowed to log in. Because the OTP will be different with every log in, MFA or 2FA can thwart a compromised credential attack.

It will be up to each organization’s IT Security teams to determine if this practice should be applied across the organization or only in certain circumstances deemed of higher risk. That could be logins from specific locations or unknown IP addresses. Your IT Security teams can configure access control lists (ACL) and blocklists to enforce those controls.

Disallow previously compromised passwords

It’s possible to integrate lists of compromised passwords into your authentication systems such that if one of your users ever sets up a known compromised password, the password is rejected and they get prompted to choose another. Such lists, as well as information on integrating the list into your authentication systems, can be found on haveibeenpwned.com.

Implement CAPTCHAs for logins

You can require users to solve a CAPTCHA in order to be authenticated and allowed to log in. CAPTCHAs can help to prevent compromised credential attacks by slowing them down significantly.

However, CAPTCHAs are not a robust security measure, as they can be bypassed fairly easily if a seasoned attacker has the right tools. CAPTCHAs are only really helpful as a part of a larger security strategy. Also, remember that CAPTCHAs will also significantly slow down your workforce. So it might make more sense to only implement CAPTCHAs in more suspicious circumstances as with MFA above.

Configure and use an AI-based Intrusion Detection System (IDS)

Traditional IT defenses typically have a hard time detecting suspicious behavior. That’s because of their binary nature. They refer to the account’s permissions or an Access Control List (ACL) and choose between “one” and “zero,” which translates into “grant access” or “deny access.”

But we do have systems available today that can scan for and identify out-of-the-ordinary events. Those systems use AI-powered tech, which has made gargantuan strides in recent years to achieve that.

With an AI-based IDS, you can “teach” it via machine learning to identify “normal” behavior patterns over your network and use that as a baseline for detecting outlier events. That is typically referred to as behavioral analytics. And with a bit of training, your AI-powered IDS will be able to detect suspicious behavior and may well save you from a compromised credential attack.

Use IP address blocklists

There tend to be two ways that organizations use IP address blocklists. And you should probably combine them. The first is by downloading or purchasing malicious IP address lists and using those lists as your block list. These lists are composed of known malicious IP addresses, so there’s really no reason to allow those IPs over your network.

The second way blocklists are used is more dynamic and is based on detecting a certain number of failed login attempts. If a user attempts and fails to log in, say three times, their IP address is added to the block list, and so is their access. This second type of blocking tends to be temporary to avoid permanently locking out legitimate users. You can implement both of these blocklist strategies simultaneously – which is recommended.

Device or browser fingerprinting

This is a bit of an odd one because device or browser fingerprinting is usually discussed from an online privacy perspective. Advertisers fingerprint your device to track your internet activities without cookies (as many people block third and first-party cookies these days). However, device fingerprinting can also help defend against compromised credential attacks.

Device fingerprinting combines certain device attributes, such as the operating system it is running, the web browser user agent, the device’s language settings, the available fonts on the device, and the IP address, among other attributes. This is done to uniquely identify the device or, if you will, to create a fingerprint of that device.

The device fingerprint can then be compared to any browser trying to log into the account in question. If they don’t match, the user can be prompted for additional information to authenticate them. Prompting your users for additional information makes more sense than outright blocking devices when they don’t match the fingerprint. That’s because your users are likely to use multiple devices or browsers, so immediately blocking a device that doesn’t match the fingerprint may not be the most practical approach.

For users

These really are common-sense tips that you should always follow as they can help you avoid various online threats. Nonetheless, the first four points relate directly to compromised credential attacks. And the following two points are directly related to mitigating phishing attacks, which can lead to credential-based attacks.

  • Use strong and complex passwords – It might seem ludicrous, but vast numbers of people still use passwords such as “123456” and “password” as their passwords. The more complex your passwords are, the less likely you are to fall victim to credential-based attacks. That will always be your first line of defense in a credential-based attack. Use our password generator to quickly produce a secure password.
  • Never reuse the same password for multiple accounts – That’s like having multiple houses with the same lock on them. One key could unlock all of your homes. You probably wouldn’t do that with houses – so don’t do it with your online accounts. The same logic applies. Do not reuse the same password for multiple accounts.
  • Set up Two-factor authentication (2FA) on all accounts that support it2FA is a great way to make it more difficult for malicious actors to abuse your credentials. There’s a good chance that the credential stuffing attackers’ automation tool (to automatically log in to compromised accounts) won’t be able to get around it. For other online attacks, having 2FA enabled may well discourage an attacker from pursuing their attack once they see they have to deal with 2FA.
  • Use a password manager – Think that setting up complex passwords for all your accounts will make things unmanageable for you and be too difficult to remember? It might if you’re not using a password manager. A password manager is a small app that contains a database of all your passwords, so you don’t need to remember them. You simply need to remember the master password to unlock your database. Once unlocked, you have access to all of your complex passwords. Some password managers also contain password generators that will automatically generate complex passwords for you. Many password managers also have autofill capabilities, so you don’t need to copy and paste them manually. That’s particularly useful on mobile devices. One small caveat, I wouldn’t recommend online password managers; the server that hosts your passwords could always be hacked. Go for a good offline password manager. There are plenty of them.
  • Don’t open attachments in emails unless you’re sure you know who the sender is and you’ve confirmed with that person that they really did send you that email. You should also make sure they’re aware the email contains an attachment and know what the attachment is.
  • Don’t click links (URLs) in emails unless you’re able to confirm who sent you the link and what its destination is. It might also be good to contact the sender through another channel (not email) to make sure the sender is not being impersonated. Once you’ve done that, you should scrutinize the link. Is it an HTTP or an HTTPS link? The overwhelming majority of legitimate websites use HTTPS today. Also, check the link for incorrect spelling (faceboook instead of facebook or goggle instead of google)? If you can get to the destination without using the link, do that instead.
  • Use a firewall – Built-in incoming firewalls are found on all major operating systems. And all commercial routers on the market provide a built-in NAT firewall. Enable both. You’ll thank me if you click a malicious link.
  • Use an antivirus program – Only purchase genuine and well-reviewed antivirus software from legitimate vendors. Keep your antivirus updated and set it up to run frequent scans.
  • Keep your operating system updated – You want the latest OS updates. They contain the latest security patches that will fix any known vulnerabilities. Make sure you install them as soon as they’re available.
  • Never click on pop-ups. Ever. Pop-ups are just bad news – you never know where they take you.
  • Don’t give in to “warning fatigue” if your browser displays yet another warning about a website. Web browsers are becoming more secure with every passing day, which tends to raise the number of security prompts they display. Still, you should take those warnings seriously. So if your browser displays a security prompt about a URL you’re attempting to visit, pay attention to your browser’s warning and get your information elsewhere. That’s especially true if you clicked a link you received by email or SMS – it could be sending you to a malicious site. Do not disregard your computer’s warning prompts.

Wrap-up

Compromised credential attacks will continue to thrive in the computer world as long as businesses need to rely on passwords and other weak authentication methods. In defending against credential stuffing attacks, the goal is to make the process of obtaining credentials as difficult as possible and to slow it down as much as possible.

Weak passwords and password reuse are the biggest culprits here, and that causes serious security issues across organizations. A weak or reused password will eventually be compromised — it’s only a matter of time as there’s no shortage of attackers. Hopefully, you and your organization can steer clear of credential stuffing attacks by applying the practices listed above.