RockYou2024: Outsmarting Credential Stuffing Attacks On The Horizon
Credential stuffing is a huge, ever-growing threat, with attacks becoming more frequent and sophisticated.
You’ve probably read the headlines about the RockYou2024 data breach, in which a hacker has reportedly leaked around 10 billion passwords in what is being termed as the biggest collection of credentials stolen and leaked on a cybercrime forum.
What you may not know is how cybercriminals take those credentials and use them in automated attacks called credential stuffing. These attacks target everyday internet users like you, trying stolen username and password combos across many sites hoping to break into accounts.
Think your info hasn’t been leaked? Think again! Credential stuffing is a huge, ever-growing threat, with attacks becoming more frequent and sophisticated. However, you can still outsmart them. But first, let’s take a deeper look into a credential stuffing attack, how it’s carried out and what’s at stake.
Anatomy Of The Attack
Credential stuffing is a sneaky kind of cyberattack where stolen credentials from one data breach are used to attempt logins on different services. For example, if credentials are stolen from a department store breach, attackers might use those credentials to access accounts at a bank. The accessibility of huge lists of breached credentials on the dark web—such as RockYou2024—combined with advanced bot technologies that bypass traditional login protections make credential stuffing a common and effective attack method.
Here’s how a credential stuffing attack usually unfolds:
Hackers get hold of login credentials from a past data breach (e.g., Company X). With data breaches being a common occurrence, cybercriminals have access to an almost endless supply of usernames and passwords. These credentials can be purchased on the dark web marketplaces and forums, or even obtained through phishing attacks and malware infections. Attackers often combine credentials from multiple breaches into “combolists” containing millions or even billions of username/password combinations to maximise the attack surface.
Attackers then use automated tools and armies of botnets to rapidly try those logins across multiple sites (e.g., banks, Netflix, etc.), scaling the attacks. Credential stuffing tools often incorporate advanced features like Captcha solvers and proxy server lists to mimic legitimate user behaviour and overcome standard security measures. The bots can make millions of login guesses/attempts per second to bypass security filters, and keep cycling different combinations until a match is found.
If the credentials match, attackers get unauthorised access to user accounts. They can then drain accounts of value, access personal data and sensitive information, deploy ransomware or use these accounts for further malicious activities such as phishing or selling the credentials.
The scary part? Most people can’t remember multiple passwords and don’t use password managers. Studies suggest that up to 85% of users recycle their login credentials across multiple services. The result: One breach unlocks multiple accounts.
Why So Serious?
According to reports, a credential stuffing attack typically has a 2% success rate. This means that with a set of 1 million stolen passwords from one website, an attacker could easily take over 20,000 accounts on a different website. To gain a picture of this massive threat, multiply those figures by the total number of websites where users have reused their passwords and the number of reported data breaches.
Credential stuffing can seriously compromise your online accounts. It can lead to account takeovers, financial fraud, data theft, and more. These attacks come cheap for cybercriminals but can be extremely damaging, financially or otherwise, for impacted users and businesses. The Ponemon Institute's report underscores the impacts, estimating an average loss of $6 million per year for businesses due to factors such as application downtime, lost customers and increased IT costs.
Companies that have, in the past, suffered such attacks have faced not only data breaches but also significant brand damage. Moreover, legal and regulatory consequences can be severe, with organisations in breach of data protection regulations facing hefty fines and legal action.
In 2018, following a credential stuffing attack, ride-hailing company Uber was fined £3,85,000 by UK's Information Commissioners Office. Due to “avoidable data security flaws”, threat actors gained access to the personal information of an estimated 82,000 drivers and 2.7 million UK customers. Along with payment and travel information, the compromised data contained the names, phone numbers and email addresses of customers.
In 2020, Dunkin' Donuts was fined $6,50,000 for neglecting to notify customers that credential stuffing attacks had compromised their data. Threat actors obtained the information of Dunkin’s value card holders and used it to make fraudulent purchases, with over 20,000 user accounts compromised and thousands of dollars skimmed.
In the latest of data breaches, a hacker with the username “ObamaCare” has reportedly uploaded almost 10 billion passwords, in what appears to be the largest collection of credentials stolen and leaked on cybercrime marketplace BreachForums. Released under a dataset called RockYou2024, the leak has a collection of 9,94,85,75,739 passwords in plaintext, which are believed to have been collected from old and new data breaches and posted online on July 4, 2024. Researchers have already warned that “revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks”.
To figure out the potential impact: If we go with the 2% success rate of a credential stuffing attack, the 10 billion passwords leaked in RockYou2024 could hypothetically lead to an incredible 200 million account takeovers.
How To Combat Credential Stuffing?
Fortunately, by observing cybersecurity hygiene—both at an individual and organisational level—and following some security measures, one can fortify defences against the increasingly sophisticated landscape of credential stuffing and potential attacks on the horizon.
MFA Is A Must: To prevent credential stuffing, implementing multi-factor authentication is crucial. MFA adds a significant layer of security by requiring more than just a password for access. This could include a combination of something you know (password), something you have (a mobile device, security token or authenticator app) and something you are (biometric data like fingerprints or facial recognition). This method has been shown to block 99.9% of automated attacks, making it one of the most effective defences available.
Make That Password Harder To Crack: One of the most crucial steps to avoid such attacks is using unique passwords for every account. Reusing passwords across multiple sites is a huge security risk; if one account is compromised, attackers can potentially access all your other accounts too. Passwords should be long, complex—using a mix of upper and lower case letters, numbers and symbols—and frequently changed. Avoid using your name, birthdates or other easy-to-guess passwords. Additionally, implementing measures such as expiration of password and history can prevent the reuse of old credentials, further securing your account.
Keep Your Tech Updated: Outdated software often contains security vulnerabilities that attackers can exploit. Always keep your operating system, apps, browsers and anti-virus/malware software updated to the latest version. Enable automatic updates to stay protected against emerging cyber threats, as developers frequently release security patches and updates to fix recent and potential security issues.
Monitor, Detect, Act: Regular monitoring of user activities and login patterns is key to early detection of credential stuffing attempts. Anomaly detection systems can alert you to unusual behaviour that may indicate an attack, such as multiple failed login attempts or logins from unusual locations. If you feel an account is compromised, immediately change that password and that of any other account(s) using the same one. Considering the frequency and spread of data breaches, it’s wiser to change passwords proactively every few months.
