F5’s latest Credential Stuffing report finds doubling of annual credential spill incidents

The number of annual credential spill incidents nearly doubled from 2016 to 2020, according to F5’s latest Credential Stuffing Report.

Released today, the most comprehensive research initiative of its kind reported a 46% downturn in the volume of spilled credentials during the same period. The average spill size also declined, falling from 63 million records in 2016 to 17 million last year. Meanwhile, the 2020 median spill size (2 million records) represented a 234% increase over 2019 and was the highest since 2016 (2,75 million).

Credential stuffing, which involves the exploitation of large volumes of compromised username and/or email and password pairs, is a growing global problem.

“Attackers have been collecting billions of credentials for years. Credential spills are like an oil spill, once leaked, they are very hard to clean up because credentials do not get changed by unassuming consumers, and credential stuffing solutions are yet to be widely adopted by enterprises. It is not surprising that during this period of research, we saw a shift in the number one attack type from HTTP attacks to credential stuffing. This attack type has a long-term impact on the security of applications and is not going to change any time soon,” said Sara Boddy, Senior Director of F5 Labs. “If you are worried about getting hacked, it’s most likely going to occur from a credential stuffing attack.”

Poor Password Storage and Growing Attacker Sophistication

Despite a growing consensus on industry best practices, one of the report’s key findings is that poor password storage remains a perennial problem.

Although most organizations do not disclose password hashing algorithms, F5 was able to study 90 specific incidents to give a sense of the most likely credential spill culprits.

Over the past three years, 42.6% of the credential spills had no protection and the passwords were stored in plain text. This was followed by 20% of credentials related to the password hashing algorithm SHA-1 that were ‘unsalted’ (i.e., lacking a unique value that can be added to the end of the password to create a different hash value). The ‘salted’ bcrypt algorithm was third with 16,7%. Surprisingly, the widely discredited hashing algorithm, MD5, accounted for a small proportion of spilled credentials even when the hashes were salted (0.4%). MD5 has been considered weak and poor practice for decades, salted or not.

Another notable observation in the report is that attackers are increasingly using ‘fuzzing’ techniques to optimize credential exploit success. Fuzzing is the process of finding security vulnerabilities in input-parsing code by repeatedly testing the parser with modified inputs. F5 found that most fuzzing attacks occurred prior to the public release of the compromised credentials, which suggests that the practice is more common among sophisticated attackers.

Spill Detection

The average time to detect incidents, when both the incident date and the discovery date are known, is now around eleven months However, this number is skewed by a handful of incidents where the time to detect was three years or longer. The median time to detect incidents is 120 days. It is important to note that spills are often detected on the dark web before organizations disclose a breach.

Five Phases of Credential Abuse

Based on the study, the 2020 Credential Stuffing report identified five distinct phases of credential abuse:
• Slow & Quiet: Compromised credentials were being used stealthily until a month before a public announcement. On average, each credential was being used 15-20 times per day in attacks across the four websites.

• The Ramp Up: In the 30 days before the public announcement, F5 saw the credentials circulating on the Dark Web. More attackers gained access to the credentials, which is why the number of attacks per day steadily increases.

• The Blitz: As the credentials became public knowledge, ‘script kiddies’ and other amateurs started using them across the biggest web properties. The first week was particularly active, with each account being attacked on average over 130 times per day.

• The Drop Off/New Equilibrium: After the first month, F5 identified a new equilibrium of about 28 attacks per username per day. Interestingly, the new equilibrium is higher than the original status quo of 15 attacks during the ‘slow and quiet’ phase. This is due to a subset of novice attackers still targeting high-value companies with ‘stale’ credentials.

• Reincarnation: After conducting credential stuffing attacks on a variety of web properties, a subset of criminals set about repackaging valid credentials to extend their exploitable shelf life.

Minimizing the Threat

“Credential stuffing will be a threat so long as we require users to log in to accounts online,” added Boddy. “Attackers will continue to modify their attacks to fraud protection techniques, which is creating a strong need and opportunity for adaptive, AI-powered controls related to credential stuffing and fraud. It is impossible to instantaneously detect 100% of the attacks. What is possible is to make attacks so costly that fraudsters give up. If there is one thing that holds true across the worlds of cybercriminals and businesspeople, it is that time is money.”