OWASP Automated Threats Explained - Credential Cracking | Credential Stuffing

December 29, 2016

Credential cracking and credential stuffing are two of the ways that hackers use bots to compromise your website security.

Credential cracking is an attack on the account login page of a website. Hackers start with a list of usernames, but no passwords. By dispatching their bot army, they use brute force to run a library of commonly known passwords with the list of usernames. If a login attempt is successful, the hacker changes the password and now owns the account, logging the real account holder out.

Even worse, those successfully cracked credentials are subsequently tested by the hacker manually against other sites on the internet. And because people reuse the same credentials across multiple sites, the hacker hijacks multiple accounts for one person. Joe must now contact all those other websites to unlock his accounts, which the company must handle courteously to prevent damaging the customer relationship.

When this technique of trying credentials on other sites is automated by bots, it is called credential stuffing, which spikes after a significant breach. When the Ashley Madison breach was announced, millions of credentials were available for hackers to test against websites all over the internet using bots. If those credentials were reused on multiple websites, the bots quickly gain access, alerting the hacker, who subsequently hijacks the account. Which explains why companies around the world see a massive spike in failed login attempts on their website after a major breach announcement and have to absorb the cost of verifying and unlocking accounts for genuine customers.

Ready for the good news? Distil Networks blocks every OWASP automated threat.

 

Previous Article
Five Ways Your Competition is Using Price Scraping Bots on Your E-commerce Site
Five Ways Your Competition is Using Price Scraping Bots on Your E-commerce Site

Price scraping has made online retail incredibly competitive and unsafe. These are the two stark realities ...

Next Flipbook
StubHub Stops Account Takeover by Eliminating Bad Bots with Distil Networks | StubHub Case Study
StubHub Stops Account Takeover by Eliminating Bad Bots with Distil Networks | StubHub Case Study

StubHub Stops Account Takeover by Eliminating Bad Bots with Distil Networks. In this case study, learn how ...