Abstract

Credential stuffing attacks using leaked passwords have been rapidly increasing. These attacks that began with a simple technique has evolved—through advances in automation tools and the vulnerability of credential reuse—into large-scale account breaches and financial damages.

Previously, the threats could be identified simply by detecting the large number of login attempts. However, attackers today attempt to evade detection by mimicking legitimate user traffic through methods such as web proxies, user-agent spoofing, and distributed login requests. As these attack techniques become more sophisticated, traditional defenses like firewalls or detection methods based solely on failed login attempts face limitations.

Credential stuffing continues to increase in volume and has become a serious threat to both organizations and individuals.

 

 

Figure: IBM’s data breach cost by year (2019–2024)

 

This blog post explains the concept and characteristics of credential stuffing attacks, which have been on the rise recently, and describes actual cases of damage. It also aims to enhance the response to credential stuffing through detection and response measures.

 

What Is Credential Stuffing?

Credential stuffing is a type of cyberattack where attackers use previously leaked user account information to attempt unauthorized access to various websites or services through automated means. This attack exploits the fact that many users reuse the same login credentials across multiple platforms.

 

Characteristics of Attacks Based on Breached Accounts

Credential stuffing is different from a simple brute-force attack. While brute-force attacks attempt all possible password combinations, credential stuffing uses actual user credentials that have already been obtained. Because of this, credential stuffing has a higher chance of success, and if a data breach occurs in one service, other services that use the same credentials may also be at risk.

 

Evolution of Attacks

Credential stuffing attacks are evolving into more sophisticated and harder-to-detect methods with the advancement of automation tools. In the early days, account credentials were randomly entered using simple HTTP clients such as curl or Python’s requests. However, this approach generated abnormal traffic patterns, making it relatively easy to detect.

 

Using a Headless Browser

Recently, headless browsers have been used as a major means of attack. A headless browser is a web browser that operates without a graphical user interface (GUI), rendering websites and executing JavaScript like a regular browser. As a result, threat actors can generate traffic similar to that of legitimate users, such as accessing login pages, entering IDs and passwords, clicking buttons, executing JavaScript, and setting cookies. Commonly abused headless browser tools include Puppeteer and Playwright.

 

Bypassing CAPTCHA

Threat actors use various strategies to bypass anti-automation measures such as CAPTCHA. Text-based CAPTCHA are automated using OCR engines, while image-based CAPTCHA are automated using CNN-based classification models. They may also use CAPTCHA solving services. For example, platforms like 2Captcha and Anti-Captcha employ real people to solve CAPTCHA problems in real-time, and then send the results to threat actors via an API. This way, bots can pass CAPTCHA without having to recognize images themselves.

 

Incidents

Credential stuffing attacks have led to many cases of personal data breaches across various organizations and services. The following are some of the most notable cases.

 

Case 1

In 2023, a credential stuffing attack resulted in the compromise of approximately 6.9 million customer records from 23andMe, a U.S.-based biotech and genomics company. 23andMe provides services related to ancestry and genetic testing, where users submit saliva samples to receive personalized reports and even view connected family information. In this case, The attack stemmed from users reusing login credentials previously leaked from other platforms.

 

The threat actor used an automated tool to test combinations of leaked emails and passwords. They then posted the stolen data on a dark web forum. The 23andme breach occurred due to the following reasons:

 

1. The DNA Relatives feature had a vulnerability in its structure, which meant that when one account was breached, the data of hundreds to thousands of connected users could also be exposed.

2. Multi-factor authentication was not enabled for the account.

 

Case 2

In June 2024, a credential stuffing attack occurred where hundreds of millions of data records were stolen from the customers of the cloud company Snowflake. The attack involved Infostealer being installed on the laptops of customer company employees who were using the Snowflake service, resulting in the leakage of their account credentials. Threat actors used the stolen account credentials to access Snowflake and exfiltrate data. They were able to easily access the accounts because the multi-factor authentication (2FA) feature was not enabled.

About 79.7% of the accounts used in the attack were found to have had their credentials exposed in previous incidents, and the date of Infostealer infection was about 4 years before the data breach. This case is believed to have occurred due to the following security vulnerabilities:

 

1. The account did not have two-factor authentication enabled.

2. The account password has not been changed for several years.

3. The network permission list was not set when logging into the account.

Detection Method

Various detection techniques are used to detect credential stuffing attacks. This report covers rule-based detection and automated behavior-based detection.

 

Signature-Based Detection

Credential stuffing attacks usually involve repeatedly attempting to log into various accounts. Therefore, such attacks can be detected by setting log-based rules.

One of the main detection methods is to detect cases where multiple accounts have repeated login attempts from the same IP address or the same User-Agent. It can also be considered a sign of compromise when the login failure rate for a specific account or IP is abnormally high. Furthermore, abnormal behaviors can be identified by comparing them with the patterns of successful logins, access time, and locations of normal users.

This type of detection is usually done through log analysis systems of SIEM, WAF, and authentication servers. For example, rules such as “More than 10 login failures within 5 minutes” or “Login attempts on more than 20 accounts from the same IP” can be set to detect abnormal behaviors in real-time.

By comparing abnormal situations against the average connection patterns of normal users, security warnings can be triggered through real-time detection.

 

Abnormal Behavior-Based Detection

While the existing signature-based detection method is useful for detecting abnormal logs according to fixed conditions, it is becoming increasingly difficult to detect new types of attacks with only fixed rules as threat actors are continuously developing bypass techniques and diversifying their login patterns.

As a result, behavior-based detection has emerged as an alternative, focusing on using machine learning or statistical anomaly detection techniques to automatically identify behavior patterns that differ from those of normal users.

For example, analyzing the following elements can help detect signs of compromise.

 

• Sharp Increase in Login Success/Failure Ratio

• Sudden movement between locations of IP address or device

• Mismatch in the time zone, access frequency, and browser/OS patterns of the legitimate user

• Massive access attempts to accounts from the same device

• Unusually fast or frequent authentication requests compared to normal logins

To this end, solutions such as User and Entity Behavior Analytics (UEBA), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) are utilized. These solutions automatically learn attack patterns and detect abnormal behaviors in real time to send alerts to security managers or block attacks.

Behavior-based detection supplements traditional signature-based detection and is a key strategy for enhancing the real-time response to credential stuffing attacks, which continue to evolve.

 

Countermeasures

Various security measures can be implemented to defend against credential stuffing attacks. Threat actors use the stolen account credentials to enter the information through an automated tool. To prevent this, a holistic approach including authentication, detection, blocking, and user training is essential.

 

1. Implementing Multi-Factor Authentication (MFA)

Even if account credentials are compromised, additional authentication steps can prevent account takeover. It is recommended to apply MFA by default for admin accounts and accounts that access critical systems. Additionally, applying conditional MFA for suspicious logins is also effective.

 

2. Login Attempt Limitation and CAPTCHA

This can be prevented by temporarily locking the account or requiring CAPTCHA when the login failure count exceeds a certain threshold. However, there are automation tools that can bypass CAPTCHA, so it is effective to apply MFA, Rate Limiting, and behavior anomaly detection in combination.

 

3. Abnormal Login Detection and IP Blocking

When multiple account login attempts occur from the same IP or User-Agent, or when the login failure rate for a specific IP suddenly increases, these can be deemed as abnormal signs. In such cases, the IP can be blocked or an alert can be sent to the administrator. It is also effective to send real-time alerts to users when their login locations, devices, or time zones are different from usual.

 

4. Rule-Based Detection and Automated Response System

Detection rules such as “10 or more login failures within 5 minutes” should be set up using SIEM, WAF, and authentication server logs. When abnormal behaviors are detected, defense measures should be executed automatically, or alerts should be sent to security administrators.

 

5. Response Based on Leaked Account Information

Blacklists can be created based on leaked authentication information collected from the dark web and other sources. When an account on the blacklist is used for login, users can be prompted to change their passwords immediately, or login attempts can be blocked. It is also important to have a feature that automatically detects whether an account is being reused.

 

6. Enhancing User Awareness on Security

Users should be regularly informed about the risks of password reuse and the importance of multi-factor authentication (MFA). Security training should also be provided to teach users how to respond in the event of a potential breach.

 

Conclusion

According to the report “2024 Trends in Personal Information Breach Notifications and Prevention Measures” published by the Personal Information Protection Commission and KISA on March 20, 171 out of 307 reported cases of personal information breaches (approximately 56%) were due to hacking. Among hacking methods, credential stuffing was identified as the third most common technique, following SQL injection and malware. Additionally, the “2024 Data Breach Investigations Report” by Verizon reported that attacks based on stolen credentials, such as credential stuffing, were involved in approximately one-third of all breach incidents.

 

Therefore, companies and organizations must establish a sustainable and effective security policy and continuously monitor leaked account credentials.