Credential Stuffing: What It Is and Why You Should Be Concerned

A recent credential stuffing attack on 23andme.com left most people bemused, if they noticed it at all. A similarly muted response followed the leak of millions of user records on known hacker forums. What is a hacker going to do with your ancestral history? The answer may surprise you and should concern you if you are lax about password security.

A credential stuffing attack occurs when a hacker takes stolen login data from the Dark Web, such as a username and password stolen from a previous attack, and uses it to try and gain access to other online accounts. In the simplest terms, it works like this:

1. A criminal steals, buys or finds usernames and passwords online.
2. The criminal attempts to access an account on a popular site using the stolen usernames and passwords. This can be done slowly, one set of credentials at a time. The attack on 23andMe.com, which led to the compromise of millions of credentials, may have been automated.
3. Credentials that work, that is, username and password combinations that give the criminal access to the account, get marked as "working" or valid.
4. The criminal creates a new database of working credentials and offers it for sale via the Dark Web or hacker forums.

If you are the target of a credential stuffing attack, a hacker now knows two things about you: You use the same credentials on multiple sites and you do not update your passwords frequently. The next criminal in line, who buys the stolen, working logins, may attempt to access shopping sites, your email accounts or your bank accounts.

Why Was 23andMe Targeted?

Criminals target sites like 23andMe because they are popular. In its second-quarter financial report, 23andMe.com reported more than 14 million users. For criminals hoping to validate stolen logins, a popular site is a good place to start. Criminals are not necessarily interested in hijacking someone's 23andMe account, but they are interested in finding out if username and password combinations work. Hackers can then prove that they gained access to the accounts by posting some data that would only be available to the account holder; in the case of 23andMe, this was information about clients' genetic history, which is only shared on an individual basis with registered users.

That proof increases the value of the records. Criminals assume that people who use the same username and password on more than one site likely use it on additional sites, which may include Amazon, eBay, Facebook or banking sites. Armed with working passwords, criminals can then attempt to hijack the accounts that they truly want. For the hacker who carries out a credential stuffing attack, the reward comes from selling data.

Most of the top websites in the United States have protections in place to prevent large-scale credential stuffing attacks, which makes the 23andMe.com attack unusual. It is possible that the site was targeted because it offered a combination of a large user base and vulnerability to automated attacks, allowing hackers to test millions of potential username and password combinations. The most-visited websites, and nearly all financial services sites, have safeguards in place to prevent hackers from testing more than a few credentials at a time.

If you are a high-value target, such as someone with a large bank balance, access to large volumes of personal data, access to corporate or public-sector infrastructure or the ability to authorize wire transfers, you are particularly vulnerable to a targeted credential stuffing attack. Criminals will mine databases of validated credentials looking for a few people, identified by their usernames or email addresses, that are high-reward targets. They will then attempt to use stolen credentials across several popular sites to find shared passwords. Because they only try a few credentials at a time, systems that block mass attacks fail.

Should I Be Concerned, and What Should I Do?

Anyone who used 23andMe for a DNA test or opened an account on the site should change that password immediately. If you used the same password on other sites, it should also be changed immediately. The nature and extent of the 23andMe attack, including the number of logins compromised, remain unknown, which makes the potential threat to individuals unknown.

There are a number of additional steps you should take, whether impacted by 23andMe or not, to protect your online accounts from hijacking.

1. Enable two-factor authentication. This is the strongest measure you can take against account hijacking. Even if criminals get your username and password, they will not be able to access the one-time code needed to complete a login. Two-factor authentication is a must for your email and financial logins, and you may want to avoid websites that do not provide it as an option.
2. Sign up for account access notifications. Many of the web's most popular sites, including Microsoft, Gmail and Disney properties, will send you an alert if your account is accessed from a new device. Always enable this notification when it is offered, as it will alert you if criminals attempt to access your accounts. If you receive an alert about activity that you do not recognize, immediately change that password and enable two-factor authentication.
3. Close and delete accounts for services you no longer use. Some sites and service providers will offer to keep your account in a suspended state, hoping that you will return in the future. Reject this convenience and insist that all of your account data, including login information, be removed when you close your account. To ensure that this has been done, attempt to log in to the account with your canceled username and password. If the system does not recognize it, you can consider the account fully closed. Old accounts are a significant vulnerability, because you may not be aware that your credentials were stolen during a cyber attack.
4. Never use the same password or username across multiple accounts. Avoid small variations as well, as a determined hacker could crack your code with a set of your usernames and passwords. As a hard rule, it should take a hacker more than 5 tries to guess your password, as many sites will suspend access to your account after 3 or 4 failed login attempts. Assume that criminals have stolen your credentials from multiple sites and avoid passwords with patterns; for example, if you use passwords such as Magnolia1, Magnolia 2 and Magnolia 3 on different sites, a criminal can very easily figure out that pattern and make an accurate guess about other passwords.
5. Consider a password manager. Next to two-factor authentication, password managers are the best way to keep your logins safe, but the most robust options come with monthly fees. If you are a high-value target, the extra expense may be necessary. Businesses that use password managers should consider offering them for employees' personal devices as a perk. While there may be a small amount of additional overhead, this will cost far less than the work hours lost by an employee who has to recover from a cyber attack. This also plugs a potential path for phishing and pretexting attacks.

The more difficult you make life for criminals, the more likely they are to leave you alone. Password protection should be your highest priority, as poor password hygiene opens the door to attacks that could devastate your finances or your business.