[News Terms] Advanced Cybersecurity Threats: 'Credential Stuffing'

'Credential Stuffing' refers to a cyberattack in which hackers randomly input leaked login information such as IDs and passwords into websites or apps, and if they succeed in logging in, they steal personal information. The term Credential means 'encrypted personal information' or 'login credentials' in English, and Stuffing means 'the act of filling the inside of an object or material.'

Recently, cases of credential stuffing damage to companies and institutions have surged. The most recent victim is GS Retail. Earlier this year, the GS Retail website leaked personal information of about 90,000 customers due to this attack. It was identified that the hacking attack occurred over nine days from the 27th of last year to the 4th of this month. The leaked information is estimated to include seven items: name, gender, date of birth, contact information, address, ID, and email.

GS Retail [Photo by Akyung DB]

The reason credential stuffing is effective lies in complacent security awareness. People often reuse the same ID and password across multiple sites because it is easier to remember and they find it inconvenient to change passwords regularly. Hackers exploit this by acquiring a large number of users' IDs and passwords and then attempting to log in to various sites.

Moreover, complex rules such as mixing uppercase and lowercase letters, numbers, and special characters, as well as frequent password changes, may lead users to set easily guessable passwords out of fear of losing them. In such cases, security risks increase further. Leaked personal information can be used in various phishing attacks, including smishing, causing additional damage.

The fact that user information is a 'legitimate' tool makes detecting credential stuffing difficult. This method differs from typical hacking that inserts malicious code. Since unauthorized users impersonate authorized ones, it is hard to establish clear detection policies, and security equipment also finds it challenging to block the attacks.

Hacking Crime [Photo by Akyung DB]

Preventing security incidents requires users' efforts. It is necessary to regularly check the number of logins per day or time period, monitor for unusual login attempts or failures, and take measures such as blocking overseas IPs. Using multi-factor authentication, which requires additional verification steps beyond ID and password, is also worth considering to preemptively block credential stuffing.

However, blocking IP addresses as a countermeasure has clear limitations. It is possible to block IPs after checking the frequency of login attempts or failures from specific IPs. But recently, credential stuffing attacks have been detected that take over numerous network devices and servers in advance and perform distributed attacks.

The cybersecurity industry is introducing various countermeasures to prevent credential stuffing. Passwordless authentication methods are representative examples. For instance, passkey methods based on biometric authentication such as fingerprint or iris recognition exist. Technologies are also being developed to distinguish between legitimate and malicious traffic through automated bots or to predict security risks by training artificial intelligence (AI) on abnormal patterns.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.