Data protection authorities from Canada, Gibraltar, Jersey, Switzerland, Turkey and the UK, have worked together under the umbrella of the Global Privacy Assembly’s International Enforcement Cooperation Working Group (the “IEWG”) to develop guidance outlining the increasing threat of credential stuffing attacks. The guidance aims to assist individuals and organisations to identify, prevent and protect against such attacks.
What is Credential Stuffing?
A credential stuffing attack is a method of cyber-attack that threat actors deploy to exploit an individual’s propensity to use the same credentials (username/email address and password) across multiple online accounts. These attacks are generally automated and occur on a large scale as threat actors will use the stolen credentials of users to unlawfully access their various accounts. The credentials are usually obtained in connection with leaked data breaches and are generally found on the threat actors’ leak site on the dark web.
Credential stuffing attacks can result in significant financial loss as threat actors can execute purchases using stolen account details or exploit personal data to transfer funds to their own accounts. These attacks can also cause harm if the threat actor either: (i) distributes the stolen data on public shame sites; (ii) produces disinformation from the users’ account; or (iii) makes false statements about an individual or organisation, all whilst using the credentials of the compromised account. As a result, reputational damage can occur to the organisation or individual, although the primary motive in carrying out a credential stuffing attack is financial gain.
Recommendations
The newly released guidance sets out recommendations to mitigate the risks of credential stuffing attacks:
- Multi-factor authentication (“MFA”) – the use of two or more verification factors to gain access to a website or resource; and
- Complex or alternative passwords – implementation of strong password policies with minimum password length, special characters, and password “deny list” which disallows commonly used or previously exposed passwords.
Stuffing Uber and Dunkin Donuts…
Uber fell victim to a credential stuffing attack and was subsequently fined £385,000 by the Information Commissioners Office in the UK. Uber had “avoidable data security flaws” which led to threat actors exposing the personal details of 2.7m UK customers and an estimated 82,000 drivers. The leaked data included customers names, email addresses, and phone numbers as well as payment and journey details.
Across the Atlantic, Dunkin Donuts (Dunkin Brands Inc.) was fined $650,000 USD for failing to inform customers that their data had been breached in credential stuffing attacks. The compromised data originated from Dunkin value-card holders with the threat actors obtaining the card information and making fraudulent purchases. Over 20,000 customer accounts were compromised with tens of thousands of dollars stolen. The Attorney General of New York held that Dunkin failed to take action and they were forced to notify their customers, reset customers’ passwords, provide refunds and implement appropriate measures to protect against future credential stuffing attacks.
Comment
It is commonplace that individuals and organisations will re-use login details across multiple websites. As a result, credential stuffing attacks continue to pose a serious risk to organisations. When a data breach occurs and valid credentials are stolen, the threat actor will be able to apply those same credentials on thousands of websites in order to gain access to users’ data. To avoid credential stuffing attacks, the IEWG’s guidance sets out practical recommendations for organisations to adopt to protect themselves and mitigate against such attacks.
For further information on credential stuffing, please do get in touch with DAC Beachcroft’s Cyber and Data Risk team, who remain available to assist you with your cyber and data protection related matters.
A link to the IEWG’s guidance can be found here.