Detecting + Preventing Compromised Credential Attacks


Compromised credential attacks are a kind of cyber-attack in which malicious actors use lists of compromised credentials to attempt to log into a wide range of online accounts. The goal of the attack, like so many others, is to steal personal/financial information from the compromised account or to take it over altogether. Because authentication is typically achieved via APIs, this kind of attack is a significant threat to API security.
Compromised credential attacks rely on the fact that many people use the same password across multiple accounts. When an organization is hit with a large-scale credential stuffing attack, there isn’t much it can do beyond disabling accounts and requiring users to change their credentials.
This post looks at how compromised credential attacks work and what can be done to avoid them.
In many ways, compromised credential attacks are similar to brute-force attacks, but they differ in a few key ways. In a brute-force attack, the attacker uses an application to automate the cracking of the password by trying many thousands of possible passwords per minute. Credential stuffers, on the other hand, already have a list of previously cracked and de-hashed passwords that were compromised through various means, such as data breaches, phishing, malware or keyloggers, etc.
In a compromised credentials attack, the attackers won’t manually attempt to log into all the accounts on their lists. Instead, they use an automation tool referred to as brute-force checkers – small applications that automate logging into the accounts, typically from varying IP addresses, to provide some obfuscation to the attackers. These checkers can use leaked usernames and passwords to attempt logins on many different sites, apps, and services. Because many people use the same password across multiple accounts, attackers can break into any accounts that share a password. These tools can also automatically steal the user’s personal/financial information, adding value to the compromised credentials.
The risks associated with compromised credentials attacks are the same as those associated with someone obtaining your credentials for a given account. An ill-intentioned person armed with your valid credentials could:
You can add anything related to an online account takeover to the above list.
In a typical compromised credential attack, the attackers could proceed as follows:
Compromised credential attacks are relatively easy to pull off insofar as one doesn’t need extensive programming skills to mount one. Because of that, compromised credential attacks are pretty common.
In 2020, Nintendo fell victim to a compromised credential attack that compromised over 160,000 user accounts. In this case, the checker tool was able to extract billing and account information, including their credit card type (Visa, MasterCard, etc.), their credit card expiration date, as well as the first six digits and the last four digits of their credit cards. This attack resulted in thousands of Nintendo customers having their accounts taken over, and many also incurred some financial losses.
Also in 2020, Zoom was hit with a compromised credential attack that compromised 500,000 Zoom user accounts. In this case, the attackers scraped or purchased lists of compromised credentials from previous breaches dating back to 2013. Suspecting that many, if not most, reuse the same passwords on many online accounts, the attackers’ checker was able to confirm that at least 500,000 Zoom users were in this unenviable position.
In 2020 yet again, Marriott International suffered a massive data breach as a result of a compromised credentials attack. This breach compromised the accounts of 5.2 million Marriott customers, exposing their contact information, gender, date of birth, and loyalty account information. The attacker used the login credentials of two Marriott employees, presumably obtained through a mix of phishing and credential stuffing, to collect Marriott customers’ information for an entire month before raising suspicion.
In October 2016, ride-sharing service Uber suffered an even bigger data breach that exposed the personal information of 57 million Uber users and drivers. It took Uber over a year to disclose the breach. It even went as far as paying the hackers responsible for the breach a cool 100K to delete the data and keep the breach quiet. Wow – that’s not exactly the definition of “responsible”… The breach exposed the names, email addresses, and phone numbers of Uber customers and drivers and the license plate numbers of roughly 600,000 drivers.

The way to defend against compromised credential attacks will depend on whether you’re an organization or an internet user. We will, of course, cover both.
A large part of the success of compromised credential attacks relies on human error, reusing the same passwords on multiple accounts, creating weak passwords to begin with, or both. Multi-factor authentication is one of the best ways to mitigate human error. MFA or 2FA (multi-factor vs. two-factor) requires something you know (your credentials) and something you have (a device providing a one-time password (OTP)) for you to be authenticated and allowed to log in. Because the OTP will be different with every log in, MFA or 2FA can thwart a compromised credential attack.
It will be up to each organization’s IT Security teams to determine if this practice should be applied across the organization or only in certain circumstances deemed of higher risk. That could be logins from specific locations or unknown IP addresses. Your IT Security teams can configure access control lists (ACL) and blocklists to enforce those controls.
It’s possible to integrate lists of compromised passwords into your authentication systems such that if one of your users ever sets up a known compromised password, the password is rejected and they get prompted to choose another. Such lists, as well as information on integrating the list into your authentication systems, can be found on haveibeenpwned.com.
You can require users to solve a CAPTCHA in order to be authenticated and allowed to log in. CAPTCHAs can help to prevent compromised credential attacks by slowing them down significantly. However, CAPTCHAs are not a robust security measure, as they can be bypassed fairly easily if a seasoned attacker has the right tools. So CAPTCHAs will be helpful as a part of a larger security strategy. Also, remember that CAPTCHAs will also significantly slow down your workforce. So it might make more sense to only implement CAPTCHAs in more suspicious circumstances as with MFA above.
Traditional IT defenses typically have a hard time detecting suspicious behavior. That’s because of their binary nature. They refer to the account’s permissions or an ACL and choose between “one” and “zero,” which translates into “grant access” or “deny access.” But we do have systems available today that can scan for and identify out-of-the-ordinary events. Those systems use AI-powered tech, which has made gargantuan strides in recent years to achieve that. With an AI-based IDS, you can “teach” it via machine learning to identify “normal” behavior patterns over your network and use that as a baseline for detecting outlier events. That is typically referred to as behavioral analytics. And with a bit of training, your AI-powered IDS will be able to detect suspicious behavior and may well save you from a compromised credential attack.
There tend to be two ways that organizations use IP address blocklists. And you should probably combine them. The first is by downloading or purchasing malicious IP address lists and using those lists as your block list. These lists are composed of known malicious IP addresses, so there’s really no reason to allow those IPs over your network.
The second way blocklists are used is more dynamic and is based on detecting a certain number of failed login attempts. If a user attempts and fails to log in, say three times, their IP address is added to the block list, and so is their access. This second type of blocking tends to be temporary to avoid permanently locking out legitimate users. You can implement both of these blocklist strategies simultaneously – which is recommended.
This is a bit of an odd one because device or browser fingerprinting is usually discussed from an online privacy perspective. Advertisers fingerprint your device to track your internet activities without cookies (as many people block third and first-party cookies these days). However, device fingerprinting can also help defend against compromised credential attacks.
Device fingerprinting combines certain device attributes, such as the operating system it is running, the web browser user agent, the device’s language settings, the available fonts on the device, and the IP address, among other attributes. This is done to uniquely identify the device or, if you will, to create a fingerprint of that device. The device fingerprint can then be compared to any browser trying to log into the account in question. If they don’t match, the user can be prompted for additional information to authenticate them. Prompting your users for additional information makes more sense than outright blocking devices when they don’t match the fingerprint. That’s because your users are likely to use multiple devices or browsers, so immediately blocking a device that doesn’t match the fingerprint may not be the most practical approach.
These really are common-sense tips that you should always follow as they can help you avoid various online threats. Nonetheless, the first four points relate directly to compromised credential attacks. And the following two points are directly related to mitigating phishing attacks, which can lead to credential-based attacks.
Compromised credential attacks will continue to thrive in the computer world as long as businesses will need to rely on passwords and other weak authentication methods. In defending against credential stuffing attacks, the goal is to make the process of obtaining credentials as difficult as possible and to slow it down as much as possible. Weak passwords and password reuse are the biggest culprits here, and that causes serious security issues across organizations. A weak or reused password will eventually be compromised – it’s only a matter of time as there’s no shortage of attackers. Hopefully your organization can steer clear of credential stuffing attacks by applying the practices listed above and working with a Managed Cyber Security provider like Computers Nationwide!
As the premier Managed Service Provider (MSP) of the Midwest, our mission is to keep businesses like yours protected from compromised credential attacks and hackers of all kinds! Interested in implementing professional Managed IT services at your company? Is it time to upgrade your cybersecurity defense?
Computers Nationwide has you covered. It’s essential to protect your credentials from scammers and malware! We partner with trusted cybersecurity service providers like Webroot, Perch, Huntress, and many more to offer Illinois, Indiana, and Wisconsin businesses the best cyber security and IT solutions to keep your network protected.