credential stuffing

Dailymotion is a Paris-based video-sharing rival of YouTube. The site gets about 300 million unique visitors a month who watch an estimated 3.5 billion videos. While that’s a fraction of YouTube’s nearly 2 billion uniques, it makes a perfectly good target for a hacker.

Dailymotion announced “a large-scale computer attack aimed at compromising the data of its users,” on January 25. “The attack, which was discovered by Dailymotion technical teams and is still ongoing,” the company release stated, “was successfully contained following the implementation of measures to limit its scope.

According to Dailymotion, the attack took the form of a guessing game of sorts, the passwords of some Dailymotion accounts being drawn from a huge number of known login/password combinations, or by using passwords stolen from websites unrelated to Dailymotion.

Dunkin Donuts, Yahoo, Reddit, to name a few, have all had to weather similar threat vectors recently, and there is no end in sight for this variety of criminal activity. The data used in these attacks could be from different places. One six-month period last year resulted in 945 data breaches with a total of 4.5 billion records compromised.

There is more usable consumer data out there in the form of login information and other sensitive data than ever before, and with companies doing all they can to limit the damage, hackers are using that walkabout data to their advantage.

It’s Called Credential Stuffing

The situation: users register multiple sites with the same login credentials. The credentials used in stuffing exploits are acquired from a variety of sources, including black market repositories of data breach content.

This attack has a relatively low success rate but, because it targets a huge universe of possible victims, it still provides criminals with a high potential yield. It’s all done via machine so the attacks can be ongoing with minimal effort on the part of the criminals who set them in motion. A botnet armed with a large set of logins and passwords can go through millions of combinations against a server before hitting paydirt, but it all happens at the push of a button.

Writing for, Gary Audin, writes, “Through this fraud technique an attacker can purchase goods or services, take out bank loans, or steal medical information.” But he notes, “Credential stuffing isn’t a brute force attack.”  It’s a numbers game with a 1% success rate. Taking the data breach figure from that six-month period in 2018, roughly 45 million people could be hit with credential stuffing exploits implementing data compromised in the past year.

This is a serious problem that is difficult to contain because it is contingent upon consumer behavior. That said, the big online players have a distinct advantage. Google and Facebook have forged finely tuned, nearly ubiquitous connections to their users: e.g., an Android (Google) phone with Google Maps, Google Voice, etc. These apps make it possible for Google to recognize when something’s amiss. A user whose last recorded location was Whole Foods in Des Moines, Iowa that suddenly logs non-VPN generated activity located from a location in, say, Zagreb is a dead-giveaway that data has gone walkabout.

Facebook, EBay, Amazon, Twitter and many other large online presences offer similar advantages when it comes to the quick detection of criminal activity and they all offer users two-factor authentication. Google also has an Authenticator App to encourage 2FA 2 factor authentication), Amazon has its own solution for sellers for logins. Google, Facebook, and Amazon all allow / encourage people to authenticate on other sites using their accounts so as to keep logins consistent and on the same devices.

What Can Be Done for Smaller Operations?

Not every business can be so lucky to have this kind of scaled and leveraged security, which is where best practices become especially important.

Credential stuffing is most often detected when there are too many login attempts happening in a given period of time. Web-based security programs like the WordPress plugin WordFence can block a single IP address or a range of IP addresses when there are too many unsuccessful login attempts.

Simpler still: sites can and should require login/password combinations that are not easily daisy-chained, such as long randomized sequences of letters, cases, symbols and the like. This strategy is made easier with a password manager. But remember, if you decide to go that route, password managers are not a cybersecurity silver bullet.

Even with such a massive amount of knowledge at their disposal, Google, Amazon, Facebook, and Twitter encourage their users to take advantage of two-factor authentication. The message is clear: 2FA might not be foolproof, but it’s exponentially more secure than a standard login/password configuration, and there are affordable 2FA solutions for any size enterprise. Users should be encouraged to use it.

The Open Web Application Security Project, or OWASP, is a non-profit organization dedicated to establishing benchmarks and standards for keeping web-based apps secure as new technologies and threat vectors develop. OWASP maintains a list that serves as a roadmap for best practices to avoid credential stuffing; IT and insurance policies alike often require compliance with its standards.

Finally, Content Delivery Networks, or CDNs, offer another way to detect credential stuffing. They tend to be geographic in nature: CDNs serve cached websites and services from the closest or fastest available server. When a CDN location changes, that can be an indicator of an attempted hack.

The bottom line is that there are known fixes for this particular exploit, as there are for many other cyber exploits. The best defense against them is staying abreast of the threats out there, and educating yourself and your staff about the best ways to keep things safe and secure.