Editor's note: This is the first in a three-part series on credential stuffing, from breaches through prevention.
LinkedIn is considered a valuable business asset for hundreds of millions of people who are looking to network or find a new job. Cybercriminals love it too — it offers a ripe repository of valuable personal information.
In June, LinkedIn confirmed that user data was harvested from the social media site, as well from other locations, which was later put up for sale by a hacker known as "GOD User TomLiner." on a popular hacker forum called RaidForums.
There cybercriminals could buy email addresses, full names and addresses, and professional background information — a treasure trove of personally identifiable information (PII) that plays directly into credential stuffing.
"PII is one of the points of currency when it comes to credentials," said Tyler Shields, CMO at JupiterOne.
When clear text password and login name combinations are found in data breaches, it makes the hacker's job much easier. If there is PII also available in the data dump, the data can then be used in a more informed way, to greater effect.
The value of credentials
If data is the valuable asset locked away for safekeeping, credentials are key to opening the vault. For threat actors, the real value of credentials is that they offer access without trace.
There is no need for malware or seeking out vulnerabilities — a simple password and username are all that's required to get into a network or a database. And because most users are lazy about reusing passwords, this opens other doors for the hacker.
In 2020, 60% of 1.5 billion credentials recovered featured password reuse, data from SpyCloud found. Of those, 97.4% of passwords were an exact match across breached accounts.
Not only do malicious actors gain access to a user's corporate profile but possibly also to bank, social media, and e-commerce accounts if they share any credentials. The use of credentials as an attack vector is on the rise, and that's because it has gotten so easy to get them.
How credentials are acquired
These days, finding legitimate credentials is as easy as sifting through freebie and pay-to-play options on cybercrime marketplaces, especially considering there are upwards of 15 billion credentials available, according to research from Digital Shadows.
"Despite years of security awareness guidance and a slight uptick in adoption of password managers, folks still reuse credentials across a wide array of sites and do not change them after a breach disclosure unless the breached company forces such a change," said Bob Rudis, chief data scientist at Rapid7.
Attackers have an array of opportunities to gather credentials, and there are always new open databases on the internet to steal credentials from.
"Many of the techniques that have been used for years to steal credentials from internal Active Directory systems still work well since most organizations do little to configure their Windows environment safely," said Rudis.
Phishing is another popular attack vector to gather credentials, and one that is on the rise since the pandemic sent workers to home offices with less security oversight. The increased use of cloud computing has added identities, both human and non-human, with credential entitlements that aren't well monitored.
"Much to the chagrin of cybersecurity professionals, many startups and/or cloud-services continue to use unsafe practices when storing credentials, making the internal databases they're stored in easy to digest once they gain initial access via phishing or VPN/RDP attacks," said Rudis.
Where credentials are found
Once there is a data breach or other cyber incident exposing PII and other information, those credentials are found all over the internet and dark web.
"Credentials dumps are extremely inexpensive to purchase and can many times be directly found with a little dark web understanding and general searching knowledge," said Shields.
Threat actors are more concerned with quantity over quality, so it is unlikely that a hacker is going to be able to match a user's first car with a particular email/password combination secret question.
"Most of the people stealing credentials are stealing them in bulk. They don't much care about the who or what," said John Bambenek, threat intelligence advisor at Netenrich.
Attackers want a quantity they can sell post-data breach. The buyers then try to optimize their purchases to targets of interest on whatever criminal operations they intended to engage in.
However, there are some domain-specific credentials, such as logins for financial services or cloud-email providers that have higher value for buyers and sellers. These allow threat actors to use legitimate email resources for phishing campaigns or have access to password reset/multifactor code emails.
Other stolen credentials are used to gain access to medical records and other sensitive information which can be sold on marketplaces or used in more traditional blackmail campaigns.
"No credentials are really off-limits as any legitimate credential pair has an unfortunately high likelihood of working across any services that a given individual may use," said Rudis.
Then, once those credentials are in hand, cybercriminals leverage them for the attack.