A massive collection of authentic email addresses and passwords was discovered on a file sharing service earlier this month. By massive, I mean truly enormous, dwarfing run-of-the-mill data dumps with “only” hundreds of millions of records. The Collection #1 data set, given that name by Troy Hunt, includes 2,692,818,238 records. That’s one record for every third person living on Earth. Amongst those records are 1.1 billion unique email/password combinations, almost 800 million unique email addresses, and 21 million unique passwords. My email address is in there, and yours probably is too.
The data appears to be a collation of password database leaks that happened over several years. There is data in there that hasn’t been seen by security researchers before, but it isn’t tied to a specific recent data leak. If you’re curious whether your data is in the mix, it has been uploaded to Hunt’s Have I Been Pwned? service, which can be used to search for email addresses across a large number of leaks.
Collection #1 is a boon for criminals engaged in credential stuffing. Credential stuffing takes a list of leaked email and password combinations and tries them on sites and services the attacker wants to gain access to. The leaks don’t originate on the site the attacker targets, but because most people use the same credentials on multiple sites with a database of over two and half billion records the chances of hitting on a legitimate combination are high.
Credential stuffing is more productive for criminals than brute force attacks or dictionary attacks, especially when the goal is to access accounts on web services and SaaS applications. Credential stuffing automation tools are available for many different services, so attackers don’t have to be technically sophisticated to breach user accounts. All they need is the right tool and a large database of credentials. Collection #1 is a powerful weapon in the arsenal of online crime.
Protecting Your SaaS App From Credential Stuffing
For credential stuffing to work, all of the following must be true.
- Your application has user accounts with credentials that appear in leaked password databases.
- Your application allows users to try a large number of username/password combinations.
- Users can authenticate with just a username and password.
By implementing security precautions that remove these traits from your application, you can protect it and your users from credential stuffing.
- The Pwned Passwords service can tell you if a password has appeared in a password database leak. The service’s complete list can be downloaded and used to prevent users from choosing passwords which are known to be used by criminals for credit stuffing.
- Limiting the number of login attempts a user can make by IP can reduce the effectiveness of credential stuffing attacks, but sophisticated operations have access to botnets with thousands of IP addresses, so rate limiting logins is not a complete solution.
- Implementing two-factor authentication will prevent attackers from authenticating with only an email address and password.
Credential stuffing presents a substantial security issue for SaaS businesses, eCommerce merchants, and website owners, but implementing these security precautions can help to neutralize the threat.