Password Breaches Fueling Booming Credential Stuffing Business

The market for automated credential stuffing tools is growing fast, because of a record number of breaches.

The market for credential stuffing software and services is thriving thanks in large part to an epidemic of breaches of usernames and passwords.

Digital Shadows said today in a new report that credential leaks, such as this past month’s Anti Public Combo List and others, have buoyed the market for credential stuffing and made it a lucrative part of the black market economy.

Credential stuffing is the automated process of verifying that breached pairs of usernames and passwords work for not only the services that they originated from, but also other services. Popular credential stuffing tools include Sentry MBA, Vertex and Account Hitman, according to Digital Shadows in a report released this week.

“Cybercriminals are increasingly turning to credential stuffing tools to automate attempts at account takeover,” according to the report. Sentry MBA, research said, has a wide online presence and is frequently discussed on criminal forums and marketplaces. “The tool exploits the use of weak passwords and password reuse, as it uses previously leaked credential combinations as part of its attacks.”

Digital Shadows researchers say password reuse is fueling the problem. With one breach, one password could crack open dozens of accounts owned by the same person. Nearly 97 percent of the world’s 1,000 largest companies have had corporate credentials exposed, researchers said.

“Downloading of the software itself is free, but there are some associated costs… A credential stuffing attempt can cost anything from $10 to $2,330,” researchers said. Those costs include first and foremost credentials.  “One of the most comprehensive (credential) packages cost $2,999, claiming to give you 3,825,302,948 credentials from 1,074 databases,” Digital Shadows said.

Next, in order to make the software work, users are required to have a configuration file. The configuration files map out the specific aspects of a target site so the software knows where to attempt logins. Different credential stuffing software also offer different features. For example, SentryMBA claims to have the ability to bypass CAPTCHA protections while Vertex and Account Hitman don’t.

“As you can see, the barrier to entry can be quite low and with these elements in place attackers can be just clicks away from launching account takeover attacks,” Digital Shadows said.

There are a number of mitigation efforts against future attacks that users and business can adopt. Researchers recommend raising user awareness, monitoring for leaked credentials on services such as the Have I Been Pwned website, or deploying an inline web application firewall that can identify and block credential stuffing attacks.

Interestingly, researchers say multifactor authentication (MFA) is no silver bullet in preventing attacks. “There are several instances of threat actors bypassing mechanisms that rely on SMS messages to deliver temporary tokens,” researchers said.

Citing an examples, researchers said banking Trojans Marcher, Retefe and Dridex have been frequently known to employed SMS MFA bypass methods.

“Many organizations are suffering breach fatigue due to the huge numbers of credentials exposed via not only high profile incidents like those suffered by Myspace, LinkedIn and Dropbox, but also from tens of thousands of smaller breaches,” said Rick Holland, VP strategy at Digital Shadows in a statement. “But it is critical that businesses arm themselves with the necessary intelligence and insight to manage their digital risk and prevent this problem credential exposure from escalating into an even more severe problem.”

Suggested articles


  • Lindsay on

    Great to see people taking password protection seriously - although it sounds a bit whack-a-mole to me ... relying on software to do a human's job doesn't not kill the root - we need a culture change at businesses so people know to regularly change passwords etc, in the UK, Cybsafe is certainly helping to do this.
  • Sebastian Jesson-Ward on

    Relying upon a 20th Century method to protect 21st Century services is archaic. Purchasing block user and pass credentials is only one problem. Brute force, dictionary attacks and social engineering tactics have been utilised for some time. Authentication of the user, such as 2FA and MFA, coupled with stringent password policies and location based restrictions are necessary. I don't see that on Cybsafe?
  • Laura Haglund on

    We definitely need a culture change, one that can only be brought about by educating ALL users. What we are getting, unfortunately, is an upsurge in paranoia that leads to half-baked stopgap solutions. Recently I have encountered several instances of increased automated face-slaps from sites that assume I am a stuffing-bot because I use a VPN. In one case I was unable to log in because their CAPTCHA was not configured well. I would love to use 2FA, but everywhere I go that is offered -- if at all -- in the form of an SMS, and I DON'T EVEN HAVE A MOBILE PHONE! At any rate, the VPN-phobia is punishing the wrong people. I never re-use passwords for anything that matters, and my good ones would take years to crack. But too often I am forced to change them because of anti-bot-botting. We need to fix the human problem, and filling the Web with annoyances is not getting that done.
  • TP on

    It's rather unfortunate and in poor taste to discredit the valuable use of 2FA, just based on one less secure method of it. U2F, or USB devices plugged into your laptop that you must physically tap to verify your identity is a secure, tamper-proof way to protect accounts. For those with smartphones, use a 2FA app that sends a push notification to your phone to verify (not SMS-based or easily bypassed).

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.