October 16, 2023 12:21 pm | Updated 12:21 pm IST

In October 2023, 23andMe a U.S. biotechnology and genomic firm offering genetic testing services to customers confirmed that stolen data of its customers being sold by threat actors on the dark web was legitimate. The data included full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location. The company further shared that the data being sold was stolen using a credential-stuffing attack.

What is credential stuffing?

Credential stuffing is a form of brute force attack that involves trial and error on the hackers’ part to crack passwords, login credential, and encryption keys.

Brute force attacks are categorised under four categories, namely simple brute force attacks, dictionary attacks, hybrid brute force attacks, reverse brute force and credential stuffing.

Amongst these, credential stuffing preys on user’s weak password hygiene. Attackers collect stolen username and password combinations from data leaks. These are tested on other websites to check if they can be used to gain access to additional accounts. This form of attack method is successful when users use the same password combination or reuse passwords for various accounts and social media platforms.

ADVERTISEMENT

Hackers may also use automated bots to repeatedly try to access a website with credentials purchased on the dark web. Making use of known (breached) usernames / passwords pairs of websites against other websites.

When attackers discover a set of credentials that work, they may also illegitimately try to access a company’s network using them or sell the validated credentials to other criminals who can use them to launch further attacks.

How does credential stuffing work?

One of the main factors behind the successful launch of credential stuffing attacks is poor password hygiene. In credential stuffing, attackers target popular websites with high brand recognition where user credentials leaked from earlier data breaches are readily available on the dark web.

Attackers use these leaked login credentials to repeatedly try to log in to a site. When they are successful, they may take over the account for financial gains or sell the validated information on the web to other criminals.

These attacks typically rely on bots or automated tools to repeatedly attempt to log in to sites with compromised credentials. When hackers use a single bot to make repeated login attempts from a single IP address, the attack is easy to identify and block with standard IP traffic management tools. However, when attackers use multi-hop to continuously switch between different IP addresses, the attack can be far more difficult to trace and stop.

Credential stuffing is also notoriously difficult to detect, and attackers keep changing the methods they employ to bypass cyber defences and impersonate authorised customers, making it difficult for companies to detect and protect against.

Once threat actors are successful in gaining access to an account, they may use the access to launch further attacks including ransomware, malware, data theft, and phishing attacks.

(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)

How big is the problem of credential stuffing?

While the cybersecurity landscape continues to invest in improving security, the threat from stolen credentials, the driving force behind credential stuffing continues to pose a significant risk to online security of organisations and individuals.

On an organisational level, 83% of breaches are perpetrated by external actors, of which 49% involve the use of stolen credentials, Verizon Data Breach Investigations Report (DBIR) 2023 said.

And while credential stuffing attacks have been in use for some time, they have gained prominence in the past few years. In 2021 financial services suffered 3.4 billion credential stuffing attacks, an increase of 45% year-over-year, a report from Help Net Security said. In 2022 Okta revealed that credential stuffing attacks boomed with over 10 billion events being recorded in the first 90 days of the year.

The threat from credential stuffing has also prompted security agencies including the FBI to issue alerts against the threat posed by it. Credential stuffing attacks are also used extensively against Indians with the country being the most targeted in 2019, enduring with 2.4 billion credential stuffing attacks, according to a report from Akamai Technologies.

How did hackers steal information from 23andMe customer accounts?

In the case of 23andMe, the company verified that the data of its customers being sold on the dak web was authentic. And while the initial data leak was limited, with the threat actor releasing 1 million lines of data for Ashkenazi people. Cyber criminals later started offering to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased.

Investigations revealed that compromised accounts had opted into the platform’s “DNA Relatives” feature, which allows users to find genetic relatives and connect with them. Attackers made use of the feature to get their hands on information like user account names to launch credential stuffing attacks.

Threat actors accessed the accounts of a small number of 23andMe accounts and then scraped the data of their DNA Relatives matches, thereby gaining access to more information which was further used to target more users.

How can users protect against credential stuffing attacks?

Users should opt for a multi-factor authentication (MFA) option for accounts, User should also ensure they do not use one password for all their online accounts.

Additionally, users can make use of password managers for unique strong password generation. Password Managers can also be used to monitor passwords that may have appeared in data leaks, as most password managers now come with the capability to alert users when their data appears in a data leak.

This is a Premium article available exclusively to our subscribers. To read 250+ such premium articles every month

You have exhausted your free article limit. Please support quality journalism.

You have exhausted your free article limit. Please support quality journalism.

X The Hindu operates by its editorial values to provide you quality journalism.

X You have read {{data.cm.views}} out of {{data.cm.maxViews}} free articles.

X This is your last free article.