Online data dumps are nothing new. Sites selling consumers’ stolen personal and financial information and log-ins help generate more revenue for the cybercrime underground than the GDP of many countries. However, the recent appearance of three billion username and password pairs — known as a “combo list” — may have raised the eyebrows of even the most jaded cybersecurity professional.
Yes, the data itself was not new, but collated from previous breaches. However, it will still offer cyber-criminals a useful advantage in ongoing credential stuffing campaigns. It should also serve as yet another wake-up call for the industry. Credential stuffing doesn’t just affect the end customer — it can also have a serious financial and reputational impact on businesses.
The Truth About COMB
In total, nearly 3.3 billion pairs of plaintext email addresses and passwords were made available on the undisclosed hacking forum, according to reports. They’re currently being stored in a password-protected container, available to anyone who’s signed up to the site. The good news is that this leak is not linked to a new data breach; rather, the data is a compilation of many previous breaches, including LinkedIn’s 2012 spill that affected over 100 million users. The threat actor also acknowledges that it builds on previous compilations of breached data such as the 1.4 billion trove found on the dark web by 4iq back in 2017. Not to mention the infamous “Collection” series #1-5, which apparently contained 2.2 billion unique usernames and passwords.
However, let’s not underplay the potential impact this post could have. The “Compilation of Many Breaches (COMB),” as it was advertised, is arranged in alphabetical order in a “tree-like structure” and a query script is included. This makes it easier for cyber-criminals to search the data for specific credentials that they may be able to use in new attacks.
The Problem With Credential Stuffing
So why should cybersecurity professionals be bothered if a bunch of consumers (albeit over three billion) have had their emails and passwords compromised yet again? To put it simply: credential stuffing.
Credential stuffing attacks use automated scripts to try large volumes of username/password combos simultaneously across the web. Because many consumers reuse their passwords across multiple sites, the chances are that a small percentage of these malicious attempts will work. Attackers also use “fuzzing” technique to try similar passwords to the ones they have, in order to maximize their chances of success. Due to the vast volumes of data involved, the bad guys only need to get lucky a relatively small percentage of the time to make it worth their while.
With account access, the attacker could:
- Root around for personal information to steal and sell, or use in phishing and fraud attacks.
- Use stored cards to make fraudulent purchases in the victim’s name.
- Sell access to the account on the dark web. Marketplaces are awash with such offers — buyers could use stolen account credentials to book taxis, enjoy streaming content and even get Air Miles discounts on flights, all free-of-charge.
The Corporate Angle
There’s a potentially more serious enterprise impact. Many employees sign-up for third-party accounts/services with their work emails. If these companies are subsequently breached and the email/password combos end up in collections like COMB, attackers could also use them to probe for access to corporate accounts.
One vendor reckons the market for corporate network access was worth over $6 million in the 12 months to June 2020 alone, rising fourfold from the previous year. Guaranteed access to corporate networks is particularly attractive for ransomware groups. It could also be sold to cyber-criminals looking to steal more databases of customer information to sell on the dark web — and so the cycle repeats itself.
The Cost of Credential Stuffing
Despite this direct risk to corporate cybersecurity, the reality is that most credential stuffing goes after consumer accounts. Yet the damage here could still be significant, depending on which brands are involved. Retail is a major target: one report from 2020 revealed that over 60% of 100 billion credential stuffing attacks detected between July 2018 and June 2020 were targeted at retail, travel and hospitality businesses. Retail accounted for over 90% of these.
A separate report by the same security vendor estimated the annual cost to EMEA businesses from credential stuffing at $4 million, comprising: application downtime ($1.2m), lost customers ($1.6m), IT security overtime ($1.2m), and costs associated with follow-on fraud.
What Can You Do About It?
The bad news is that consumers are a persistent weak link in the security chain which attackers will continue to exploit. According to Sara Boddy, senior director of F5 Lab: “Credential spills are like an oil spill: once leaked, they are very hard to clean up, because credentials do not get changed by unassuming consumers, and credential stuffing solutions are yet to be widely adopted by enterprises.”
This is compounded by the fact that organizations are still struggling to protect their own customers’ data, which leads to a continuous supply of personal info and log-ins flowing onto dark websites. A new report reveals that the number of such “credential spill” incidents doubled between 2016 and 2020. As more consumers flood online due to the pandemic, there will be rich pickings for the cyber-crime community.
However, there are things that you can do to mitigate some of the risks highlighted above. These include:
Searching the dark web proactively for stolen customer data. This will give you a heads-up on a potential data breach and enable you to take action before the credentials have been monetized in attacks.
Deploying multi-factor authentication (MFA) for corporate and customer accounts. Those worried that this will introduce too much friction to the log-in process will be assured by risk-based solutions on the market today, that only require a second factor of users if the log-in looks suspicious.
Web application firewalls (WAFs) may be able to spot abnormal traffic from the botnets used to carry out credential stuffing.
Limiting failed authentications by IP address, devices, time frames, etc will also help to lock out automated attacks.
Device fingerprinting uses attributes like OS, browser version, and language to identify users’ devices and spot the imposters.
Scanning for breached credentials when users sign-up, means they are forced to choose new passwords.
Improving customer education about password management and security will ensure they use password managers to store unique, strong and long credentials.
Enhancing threat detection and response will help improve corporate cybersecurity and reduce the likelihood of breaches happening in the first place.
As with all good cybersecurity, a layered approach is the way to go. Defense-in-depth won’t be fool proof, but it’s the best chance organizations have at mitigating the risks, and costs, associated with credential stuffing.