In early 2019, information security researcher and Have I been Pwned (HIBP) founder, Troy Hunt, stumbled across the largest data dump in his career. Famously known as Collection #1, the data dump contained approximately 773 million records of email addresses and passwords at the time of publication on the dark web. Other researchers quickly followed Hunt’s tracks, discovering what appeared to be the sequel to Collection #1. A staggering 845 gigabytes of stolen data were reported to be found in Collections #2, #3, #4 and #5, totalling nearly 2.7 billion rows of email addresses and passwords, far more than the initial Collection #1 leak.
“Why are you telling me news from two years ago?” I hear you cry. Well, just because it happened two years ago doesn’t mean it’s not relevant today. In fact, attacks involving user account details are on the rise, especially owing to the shift in remote working (thanks, COVID-19). Anyway, I digress. Following this remarkable data dump discovery, Microsoft undertook research on the various ways password-based authentication can be broken. More than 20 million Azure Active Directory accounts (both cloud and hybrid) were being probed daily via credential stuffing attacks.
When breaches occur, the aftermath is usually data dumps of precious information that enables hackers to carry out attacks such as credential stuffing and password spraying. These attacks pose a serious threat to organisations as they’re tricky to safeguard against (don’t worry, we’ll talk more on that later) – a successful attack only needs someone to log into the system with legitimate credentials. The simplicity and lack of technical understanding of these attack types means script kiddies are more likely to attempt them, widening the potential source of attacks.
Anyway, back to credential stuffing. Credential stuffing uses known pairs of usernames and passwords to fraudulently gain access to an account. A significant number of credentials, usually purchased or enumerated from publicly available data dumps (much like Collections #1 – #5), are entered into login interfaces until they match an existing account. Having access to these data dumps means hackers can generate better attack inputs, giving them a higher chance of successful exploitation. Sadly, even a strict password policy wouldn’t help an organisation in this case, as the attacker already has access to the victim's exact password.
Another popular method used by attackers is password spraying. Similar to credential stuffing, usernames are first extracted from dumps and then ‘sprayed’ with common passwords, such as “password” and “qwerty”, in an attempt to gain access to an account.
As I said before, safeguarding your organisation against credential stuffing or spraying attacks isn’t the easiest task. Fortunately, there are some steps you can take to strengthen your organisation’s password use.
Starting with… Leaked password verification! This can be carried out whenever a user sets or updates their password, or even take place periodically across your organisation. Cross-checking against passwords that have previously been breached is a good way to minimise the likelihood of someone using a previously compromised password. If passwords linked to your organisation are found amongst any of these dumps, you’re best to just go ahead and ban the passwords from being used immediately.
Have you ever considered using a password manager? These clever applications assist in creating, managing, storing, and retrieving multiple credentials from an encrypted database. The best bit? You only need to remember your master password! Using password managers at your organisation helps users avoid recycling passwords across different accounts and encourages strong password creation (removing the likelihood of being a victim of a spraying attack!).
Multi-factor authentication (MFA) is, by far, the strongest defence against credential stuffing and password spraying. Microsoft suggested that, by using MFA, 99.9% of account compromises could have been prevented. Security questions and PINs can also be prompted as part of a multi-step authentication mechanism but aren’t classed as MFA.
Protecting your password is such a simple task that could prevent a big disaster. Make sure you always take extra care when coming up with a password and general account security. You don’t want to see your name appear in a data dump, do you?