Billions of Login Credentials Leaked, And Used by Credential Stuffing Bots

February 28, 2020



A recent data breach leaked the credentials of billions of users, providing cybercriminals with a trove of data to use in bot-driven credential stuffing attacks. Understanding what are bots, what their role is in credential stuffing, and how to protect against these types of attacks helps to protect user accounts against malicious access. It can also decrease the amount of malicious traffic that hits eCommerce and other sites commonly targeted by bots.

Inside the Breach

On December 4, 2019, a security researcher discovered an unsecured Elasticsearch database accessible from the public Internet. The database was first indexed by the BinaryEdge search engine three days earlier, making it findable using BinaryEdge. After being notified of the breach, the company that owned the database took it offline on the 9th. However, this gap between initial accessibility and final takedown left a wide window for cybercriminals to find and plunder the exposed database. It contained 2.7 billion email addresses and 1 billion plaintext passwords, which indicates that the owner had more than one flaw in their security controls.

The potential impacts of this attack are numerous. For one, the breached email addresses originated primarily from Chinese email providers. Many Chinese email users will use their phone number as their username (due to an unfamiliarity with English characters), meaning that this leak may have breached more data than is readily apparent.

Credential Stuffing and Bots

However, one of the greatest potential impacts of this data breach is the use of the leaked data in credential stuffing attacks. In a credential stuffing attack, the attacker tries to authenticate to a service with a known username – often an email address like the 2.7 billion leaked in this breach – and a potential password for the account.

In many cases, credential stuffing attacks take advantage of the fact that most people use weak passwords, making them possible to guess using a brute force guessing attack. However, this data breach means that, for the 1 billion users whose passwords were breached, an attacker can target users that reuse passwords across multiple accounts. Since 65% of people reuse the same password across multiple accounts, this dump of 1 billion email addresses and associated passwords represents a potential gold mine for an attacker. The problem with credential stuffing attacks is that they are time-consuming since they involve guessing several potential passwords for each account. With 2.7 billion email addresses to play with, the workload quickly adds up.

This is where the bots come into play. Bots are automated scripts designed to mimic a human performing some activity, like authenticating to a website. Due to the rash of recent data breaches, cybercriminals have a vast trove of leaked credentials to use in credential stuffing attacks. Since bots are ideally suited to this type of attack (since it only involves making repeated requests with usernames and passwords from a list), it should be no surprise that bots comprise the majority of traffic to eCommerce sites (where stolen passwords are of value).

Protecting Against Credential Stuffing Attacks

This data breach is only the latest in an endless stream of leaked customer data. While this case has a few unusual features, like the fact that 1 billion passwords were stored in plaintext, it only serves to reinforce the standard lessons of data breaches and credential stuffing attacks.

  • Protect User Credential Data

It is theorized that the data in this leaked dataset was actually put together from data collected in past data breaches. However, all of this consumer data was stolen from an inadequately protected company database at some point. Ensuring user privacy and security – and maintaining compliance with data protection regulations – requires organizations to protect this data by deploying a strong data security solution.

  • Deploy Bot Detection Algorithms

Most cybercriminals don’t want to waste their time entering each possible set of user credentials individually on a webpage, so they use bots to do so automatically. While bots have come a long way in recent years, many of them still include features that make it possible to differentiate them from human users. Deploying a behavioral analytics solution on a webpage can help differentiate between legitimate human users, bots, and cybercriminals attempting to use stolen credentials to access a user account.

  • Implement Multifactor Authentication

The security issues of passwords are well-known, but they are still in use since they are a simple solution to manage user authentication. However, securing access to a user’s sensitive data or a company’s protected functionality requires a more robust security solution. Deploying multi-factor authentication throughout an organization’s web presence (both internal and external) can dramatically improve security by rendering stolen or guessed user credentials useless to an attacker.

Lessons Learned from the Leak

Data breaches have become a fact of modern life. As long as organizations continue to collect valuable data, cybercriminals will attack their databases to steal information that can be used in future attacks, like credential stuffing, or sold on the black market.

Protecting against these threats requires addressing the threat at all levels of the process. Deploying robust data security solutions, implementing behavioral analytics for bot detection, and adding multifactor authentication to sites throughout an organization’s web presence can make it much more difficult for cybercriminals to pull off and profit from credential stuffing attacks. This will not only protect user accounts but also reduce malicious traffic to sites targeted by credential stuffing bots.

Latest Customer Service Articles