Credential stuffing attacks, in which attackers use stolen credentials to log into user accounts on different websites, pose an ever-greater risk to online security. We explain what steps companies can take to minimise the risks of credential stuffing and why controllers and processors should account for this data protection issue.
What is credential stuffing?
Credential stuffing is a type of cyberattack in which the attacker uses stolen account credentials – usually usernames or e-mails and the corresponding passwords – to gain unauthorised access to user accounts. The most common source of credentials used for credential stuffing are data breaches, whereby the credentials are either posted online free of charge or offered for sale in the dark web. More often however, attackers obtain credentials through phishing attacks. As most internet users use the same password on several websites, the attackers try to log into other accounts of the same user by using the stolen login data. Given the large amount of available compromised credentials, credential stuffing is considered one of the biggest threats to websites and mobile apps.
Credential stuffing has some similarities to brute force attacks and dictionary attacks. However, as attackers are in possession of credentials the internet user has already used on another website, they are often more successful. According to an article in Harvard Business Review, up to 2% of credential stuffing attacks are successful.
Of course, the attackers do not try to log into different accounts manually. Rather, they use automated systems (bots) to log into a large number of websites in a short amount of time. If they are successful, the attackers gain access to the information saved in the profiles, such as names, dates of birth, purchase history, credit card numbers etc. that they can subsequently use for fraudulent or another malicious purposes. Depending on the website, they can also commit e-commerce fraud, e.g. purchase items online in the name of the attacked person or use their gift card balance. Lastly but possibly most damaging, if attackers successfully log into an account of a company employee or even an admin, they could use the access to the account for corporate espionage.
What measures can companies take to prevent credential stuffing?
Companies can take several measures to minimise the risk of credential stuffing. One of the most effective measures is to offer – and where feasible, technically enforce – multi-factor authentication. In that case, despite being in possession of the password, attackers will not be able to log into the user’s account, as they will lack the second factor – e.g. a TAN code generated by the user’s mobile phone, or their fingerprint.
Alternatively, the website operator could employ adaptive authentication (also called risk-based authentication), whereby based on the circumstances of the login attempt, the system determines the risk and adopts the login challenge accordingly. For example, if the login attempt occurs at an unusual time or from an unknown IP address, the website would request a second factor of authentication in addition to merely entering a password.
Using a credential-screening solution is another measure that can minimise the risk of credential stuffing. A credential-screening tool compares in real time the credentials used for login against a database of compromised credentials. If there is a match, the website operator can deploy different measures such as notifying the user, employing a second layer of authentication or forcing a password reset.
Furthermore, limiting the number of requests allowed per IP address and adding CAPTCHA authentication can also diminish the risk of credential stuffing to a certain extent. However, when choosing a specific tool, companies should consider its conformity with the data protection laws (a data protection assessment of one of the most widely used CAPTCHA tools, the Google’s reCAPTCHA, can be found here (in German).
Password hashing can also help combat credential stuffing. Unlike the above-mentioned measures, password hashing does not aim at preventing an ongoing credential stuffing attack, but rather helps prevent credential stuffing from occurring at all. Namely, if passwords are saved using state-of-the-art hashing methods, leaked passwords will be useless to the attackers. However, this only holds true if the passwords are sufficiently complex, as hashed trivial passwords can easily be guessed by password cracking tools.
Lastly, given that human negligence and lack of knowledge are two of the factors increasing the risks for credential stuffing, companies should adequately and regularly train their employees in information security. Such trainings should sensitise employees on secure password handling and phishing attacks, among other topics. A high-quality online training can provide employees with up-to-date knowledge while granting them flexibility in terms of when to conduct the training.
While there is no one-fits-all approach to credential stuffing, companies should assess the risks credential stuffing poses to their website and employ measures accordingly. Thereby, they should find a proper balance between good user experience and appropriate website security.
Is there a GDPR obligation to take appropriate steps to prevent credential stuffing?
The GDPR is technology-neutral and does not prescribe specific technical measures companies would have to employ in a specific case. Rather, there is a general obligation set forth in Art. 32 GDPR, according to which companies have to implement appropriate technical and organisational measures to ensure that data are safely processed. When deciding on the measures to deploy, companies have to take into account the risks pertaining to their data processing and the probability of its occurrence.
The French data protection supervisory authority, the Commission nationale de l’informatique et des libertés (CNIL), took Art. 32 GDPR in its recent decision as a basis to fine companies for not employing sufficient technical and organisational measures to prevent credential stuffing. The online shop in question had been experiencing credential stuffing attacks for two years. As a countermeasure, it focused on the development of a tool for detecting and blocking attacks launched from bots, whereby the development took one year. In the meantime, the attackers gained access to 40,000 additional user accounts. The CNIL held that the response of the online shop operator was too slow and that it should have employed other measures which could be implemented in the short term, for example limiting the number of requests allowed per IP address and adding a CAPTCHA. For this breach of Art. 32 GDPR, the companies were together fined EUR 225,000.
Responsibilities of controllers and processors for online security
The decision of the CNIL also sheds light on the relation between a controller and a processor. Namely, the CNIL divided the fine between the two companies: the controller was fined EUR 150,000 whereas the processor operating the website on its behalf was fined EUR 75,000. The CNIL stated that despite the fact that the controller is overall responsible for the data processing and that the processor must only process personal data according to documented instructions of the controller, the processor must nonetheless seek appropriate technical and organisational measures and suggest them to the controller. Indeed, companies usually employ processors as they have expert knowledge and experience in a specific data processing activity. Hence, they might be better suited to find appropriate safeguards than a controller.
Companies running websites or mobile apps containing a login function should be aware of the risk of credential stuffing, which is becoming an ever more common type of cyberattack. Based on the risks pertaining to the concrete data processing situation, they should employ sufficient measures to combat it.
The CNIL decision imposing a fine for insufficient measures against credential stuffing is one of the first in this area. It shows that companies not only have to continuously assess the risks pertaining to their data processing operations but also react swiftly in case of deficiencies.
The decision of the French authority also gives valuable insight into the relationship between a controller and a processor. It underlines that even though the controller has to take the final decision with regard to data processing, the processor is obliged to support him by providing suggestions as to how the level of data protection and data security can be further increased.