Credential Compromise: What You Need to Know About Theft, Stuffing and Spilling and What You Can Do About it

Credential Compromise: What You Need to Know About Theft, Stuffing and Spilling and What You Can Do About it

As new technologies emerge, ever-vigilant fraudsters remain hard at work searching for and exploiting system weaknesses before they can be patched.

  • By Michael Lynch
  • Sep 29, 2017

As new technologies emerge, ever-vigilant fraudsters remain hard at work searching for and exploiting system weaknesses before they can be patched.

One such form of cybercrime involves credential compromise. Credential compromise encompassing the theft, spilling and stuffing of user account information is not new. The cycle of infiltrating a company’s systems, stealing credentials like email addresses, user IDs and passwords, and then either using them directly for theft or selling them on the dark web to other criminal actors has been around for years. Its longevity can be attributed to ongoing success enabled by a number of systematic failures, including end-users’ propensity to recycle passwords from site to site, companies’ failure to identify and report compromises in a timely manner and weak systems security measures, as well as a hefty return on investment for fraudsters.

For example, according to Shape Security’s 2017 Credential Spill Report (January 2017), the return for cybercriminals on credential stuffing can be as high as 2 percent. So, for every 1 million stolen credentials, criminals could gain access to as many as 10,000 accounts.

Such activity plagues both businesses and end-users who transact across digital channels in increasing numbers and with increasing frequency. Aside from the hard-dollar costs involved in detecting and preventing credential compromise (or to clean up the aftermath of a breach), there are other, less obvious, but equally costly, ramifications.

Fortunately, the risk of credential compromise can be mitigated if you know what to look for and appropriate technology measures are deployed to combat it before it happens.

The Basics of Credential Compromise

Here is some of the latest terminology defining credential compromise:

  • Credential theft: Attackers hack into a system and steal end-users’ account login credentials (user IDs or email addresses and passwords).
  • Credential stuffing: The use of automated means (bots) to test a large set of stolen passwords against websites.
  • Password recycling: The tendency for users to use the same password across multiple online accounts.
  • Credential spilling: The release of mass amounts of user credentials onto the dark web.

The End-to-End Journey of Compromised Credentials

Step 1: Gain access to credentials

Criminal organizations and single actors use various methods to breach typical enterprise security protocols, including, Phishing/Smishing, Malware, Man-in-the-Middle attack, Mass compromise via network breach, and Insider theft.

Step 2: Validate the credentials

After a database has been breached by cybercriminals and access to mass amounts of user credentials has been gained, criminals who wish to either use the credentials themselves to gain access to other accounts to commit theft, or to sell the data to the highest bidder on the dark web, must first test the validity of the data. This is where credential stuffing comes into the mix.

Bots and Credential Stuffing

In order to gain that much-sought-after validation, credential stuffing is employed. As mentioned previously, credential stuffing involves mass testing of stolen login IDs and passwords using bots to automate the process. Bots in this context refer to malware infecting one or more computers or mobile devices that allows a criminal actor to takeover, control and use the infected machines to perform automated tasks, such as attempting account logins over numerous sites using stolen credentials. Bots are essentially the tool cybercriminals use to weaponize stolen credentials.

How to Detect Bots

Fortunately, using a combination of low and high-tech approaches to detection, enterprises can reduce the likelihood and damage inflicted by a bot attack.

  • Monitor for spikes in site traffic
  • Detect velocity of devices attempting multiple login attempts on multiple accounts over a short period of time
  • Leverage next generation of bot-prevention tools such as device intelligence, device fingerprinting, malware detection, machine learning and behavioral analysis.
  • Deploy security solutions that employ multi-factor authentication (MFA)
  • Risk score devices based on malware, location anomalies, operating system configuration anomalies, and fraud tool detection

 

Using a variety of techniques like these to identify and screen-out bots is a crucial factor in slowing and stopping bots before they inflict costly damage both in terms of expense and reputation.

In additional to implementing technology solutions to combat bots directly on your systems, an enterprise may also choose to work with firms that specialize in investigating and exposing cybercrime. Such cybersecurity firms are able to obtain information from the underground criminal forum where the customer information is released and many times will conclude that the breach is greater in scale than originally assumed. Often they can obtain a sample of the data breach and recommend procedures against further exposure. 

Step 3: Use the Validated Credentials

Once cybercriminals have validated the stolen credentials, they are ready to be released on the dark web or sold to the highest bidder. Essentially, stolen and validated credentials are used for the purposes of account takeover – either as means of gaining access to additional valuable information, or to directly commit transaction fraud.

Once a winning combination of credit card details, IDs and passwords has been stitched together, fraudsters can begin with monetization. Bots may either start with a single high-value CNP transaction or attempt to deploy many small transactions that fly under the radar.

Impact to Businesses

While hard-dollar fraud losses resulting from compromised credentials is an overwhelming concern for businesses and consumers, the theft, stuffing and spilling of credentials has far broader implications to reputation and consumer satisfaction.

Financial

Regarding the financial impact of credential compromise, Shape Security has already identified $1 billion in attempted fraud from credential stuffing attacks in 2016 alone. Aside from the money that disappears from accounts and must be reimbursed to consumers, businesses must also face the added expense of extra man-hours and implementing technology solutions to detect, prevent and manage such attacks. The simple impact of the increased site volume generating by credential stuffing has an overwhelming effect on an enterprise’s servers, resulting in outages and slow response times, as well as necessitating ramped up support center staffing to handle queries from concerned or irate customers.

Confident Decisioning

Additionally, credential stuffing has a profound effect on an organization’s ability to accurately track and leverage valuable insights regarding site traffic through reporting. Valuable metrics like site visits, click-through rates and conversions are used by e-commerce sites and others to analyze performance and make strategic decisions. According to the Shape Security report, “90 percent of login requests on many of the world’s largest web and mobile applications is attributable to traffic from credential stuffing attacks.” Such skewed information can have a profound effect on an organization’s ability to confidently use site analytics to make strategic decisions.

Reputation and Consumer Satisfaction

Massive numbers of password lockouts and reset attempts not only generate a high level of frustration among end-users, but also creates staffing challenges, encourages password recycling among users and inflicts damage to your business’s reputation.

An unexpected influx of authentication calls into a large organization’s call center can cost several dollars per call; however, customer frustration and lack of trust in an organization’s ability to protect sensitive account and personal information can be far costlier.

Stay Ahead of Cybercriminals

Credential compromise isn’t going away any time soon. Nor are bot attacks that enable cybercriminals to validate sensitive information that provides a hefty ROI for them and facilitates financial theft with increasing sophistication.

It’s essential that security professionals employ every weapon in their arsenal – from monitoring, to bot detection, device authentication, identity verification and malware prevention solutions.

The stakes of a credential breach are high, presenting an alarming risk your organization’s bottom line, reputation and customer trust and loyalty. No matter the type of information your business collects in its systems, it should be protected as if it were virtual gold, because to cybercriminals, it might just be.

Featured

  • Work Anywhere, Secure Everywhere: 2025 Tech Predictions

    Five years after the pandemic, organizations need a flexible work reset to stay productive and support any work arrangement. Despite the pandemic-fueled workplace shift that began five years ago, companies across industries and geographies continue to increase flexible work configurations. However, many tools adopted during COVID onset remain in place today, and they now need a reset to keep employees productive and secure regardless of location. Security leaders must re-evaluate existing practices and reinvest in zero trust security, passwordless environments, and automation adoption to improve efficiency and productivity. Read Now

  • Guiding Principles

    Construction sites represent a unique sector of perimeter security, especially amidst a steady increase in commercial construction. As in any security environment, assessing weaknesses and threats remains paramount and modern technology, coupled with sound access control principles, are critical in addressing vulnerabilities at even the most secure construction sites around the world. Read Now

  • Empowering 911

    In the wake of the tragic murder of UnitedHealth Group CEO Brian Thompson, media coverage flooded the airwaves with images, videos and detailed timelines of the suspect’s movements. While such post-incident analysis is not new, today’s 911 centers now have access to similar data in real-time. This technological evolution marks a pivotal transformation in emergency response, transitioning from analog calls to a digital ecosystem capable of saving more lives. Read Now

  • Security Industry Embraces Mobile Credentials, Biometrics and AI, New Trends Report From HID Finds

    As organizations navigate an increasingly complex threat landscape, security leaders are making strategic shifts toward unified platforms and emerging technologies, according to the newly released 2025 State of Security and Identity Report from HID. The comprehensive study gathered responses from 1,800 partners, end users, and security and IT personnel worldwide, and reveals a significant transformation in how businesses are approaching security, with mobile credentials and artificial intelligence emerging as key drivers of innovation. Read Now

Most   Popular

New Products

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.