Credential stuffing

A credential spill, alternatively referred to as a data breach or leak, arises when unauthorized individuals or groups illicitly obtain access to sensitive user credentials that organizations store. Such credentials frequently comprise usernames, email addresses, and passwords. The repercussions of credential spills can be significant, as they commonly subject users to a range of hazards, including identity theft, financial fraud, and unauthorized account infiltration. Credential stuffing attacks are considered among the top security threats for web and mobile applications as a result of the volume of credential spills. More than three billion credentials were spilled through online data breaches in 2016 alone. == Origin ==

The term was coined by Sumit Agarwal, co-founder of Shape Security, who was serving as Deputy Assistant Secretary of Defense at the Pentagon at the time. == Incidents ==

On 20 August 2018, U.K. health and beauty retailer Superdrug was targeted with an attempted blackmail, with hackers showing purported evidence that they had penetrated the company's site and downloaded 20,000 users' records. The evidence was most likely obtained from hacks and spillages and then used as the source for credential stuffing attacks to glean information to create the bogus evidence. In October and November 2016, attackers gained access to a private GitHub repository used by Uber (Uber BV and Uber UK) developers, using employees' usernames and passwords that had been compromised in previous breaches. The hackers claimed to have hijacked 12 employees' user accounts using the credential-stuffing method, as email addresses and passwords had been reused on other platforms. Multi-factor authentication, though available, was not activated for the affected accounts. The hackers located credentials for the company's AWS datastore in the repository files, which they used to obtain access to the records of 32 million non-US users and 3.7 million non-US drivers, as well as other data contained in over 100 S3 buckets. The attackers alerted Uber, demanding payment of $100,000 to agree to delete the data. The company paid through a bug bounty program but did not disclose the incident to affected parties for more than a year. After the breach came to light, the company was fined £385,000 (reduced to £308,000) by the U.K. Information Commissioner's Office. In 2019 Cybersecurity research firm Knight Lion Security claimed in a report that credential stuffing was favored attack method for GnosticPlayers. == Compromised credential checking ==

Compromised credential checking is a technique enabling users to be notified when passwords are breached by websites, web browsers or password extensions. In February 2018, British computer scientist Junade Ali created a communication protocol (using k-anonymity and cryptographic hashing) to anonymously verify whether a password was leaked without fully disclosing the searched password. This protocol was implemented as a public API and is now consumed by multiple websites and services, including password managers and browser extensions. This approach was later replicated by Google's Password Checkup feature. Ali worked with academics at Cornell University to develop new versions of the protocol known as Frequency Smoothing Bucketization (FSB) and Identifier-Based Bucketization (IDB). In March 2020, cryptographic padding was added to the protocol. Compromised credential checking implementations ==Legal action==

23andMe In October 2023, 23andMe disclosed that attackers had gained unauthorized access to user accounts through a credential stuffing attack that exploited reused passwords from prior breaches on other platforms. The incident exposed profile data of approximately 6.9 million users, including information on genetic heritage, family connections, and in some cases health-related details. The company later faced multiple class-action lawsuits in the United States, culminating in a proposed US$30 million settlement in 2024. In addition, the UK Information Commissioner’s Office (ICO) fined 23andMe £2.31 million for failing to adequately protect personal data of around 155,000 UK customers. Dunkin' Donuts In September 2020, Dunkin' Brands Group, Inc. reached a settlement with the New York Attorney General over credential stuffing attacks that had compromised tens of thousands of customer DD Perks loyalty accounts between 2015 and 2018. Attackers used reused credentials from other breaches to gain unauthorized access, which in some cases allowed fraudulent use of stored value cards. Under the terms of the settlement, Dunkin' was required to notify impacted customers, reset affected passwords, provide refunds for unauthorized transactions, and enhance its information security program. The company also agreed to pay $650,000 USD in penalties and costs to New York (state), without admitting wrongdoing. == Regulatory response ==

Credential stuffing attacks have drawn regulatory attention, particularly in sectors handling sensitive personal data. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to implement procedures for monitoring log-in attempts and reporting discrepancies (45 CFR 164.308(a)(5)(ii)(C)) and to verify the identity of persons seeking access to electronic protected health information (45 CFR 164.312(d)). The December 2024 HIPAA Security Rule NPRM proposed requiring multi-factor authentication for all access to ePHI, which would significantly mitigate credential stuffing risk by rendering compromised passwords insufficient for unauthorized access. The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500), amended in November 2023, requires covered entities to implement multi-factor authentication and monitor for unauthorized access attempts, directly addressing credential stuffing vectors. NIST Special Publication 800-63B Digital Identity Guidelines recommends that verifiers implement rate limiting, account lockout mechanisms, and checks against commonly used or compromised passwords to defend against automated credential attacks. == See also ==