Credential Stuffing – Turning Your Online Accounts Into Cash

If you are hanging out on the Dark Web you may already be familiar with credential stuffing and its criminal benefits. What you may not know is how it is leveraged within a longer process in order to deliver its final product via an underground marketplace in exchange for money, Credential stuffing is the taking of an input, in this case a database of leaked or stolen user credentials, and turning it into a list of different sites with credentials that work. This list is then put on a marketplace and sold on the Dark Web. In addition botnets are leveraged in order to stay under the radar..

Data breaches usually result in data ending up in the wrong hands. Account info is acquired, sold, and used before those exposed by the breach have a chance to change their account passwords. There is a time limit on how long malicious actors can use that data before the leak is discovered and then being subsequently cut off. That’s a problem for a black hat. In addition you are limited to the site of which the breach occurred. But what if we could extend the usefulness of that initial breach? Credential stuffing does just that.

Let’s take a database and run it through the credential stuffing assembly line. We have a database for a provider and it becomes exposed. This database is in the hands of a malicious actor. This actor makes a small investment in some automated tools. These tools allow leaked login credentials from our database to be used against a variety of platforms in search of a successful login. *This alone is a good reason to not reuse passwords across services providers.) It is here botnets are used in order to spread out the login attempts. This circumvents safeguards put in place to protect against things like brute force attacks. Once a list of working sites and logins is aggregated they are uploaded to a marketplace where they are verified and sold. These automated marketplaces have been observed by researchers to be bustling, a testament to how effective this monetary driven economy is.

The most effective way to protect yourself is to not have any online accounts at all. Since this isn’t really feasible in 2019 you are going to have to keep the following in mind:

  • Enable multi factor authentication (MFA) wherever supported
  • Use a password manager
  • Use passwords consisting of random strings of characters
  • Do not use the same password for multiple sites/services

Credential stuffing relies on compromised login credentials being used on multiple sites. Do not reuse passwords! Using a password manager to keep track of your random and differing passwords is crucial. Enabling MFA is also an effective way to render these attacks trivial.

See here for more detailed info as described by those who have been investigating credential stuffing: