Threat Watch

Credential Stuffing Attacks Account for 34% of Okta Logins

In the first quarter of 2022, credential stuffing attacks have grown to be the leading cause of authentication traffic for Okta users, with 10 billion events being detected on the platform. This accounts for roughly 34% of the overall traffic on the platform. When looking at the data from a geographical perspective, areas of the world such as Southeast Asia and the United States had some of the highest disparity between these malicious logins and legitimate traffic. When looking at the data from an industry perspective, the most targeted industries were the retail/commerce industry, the education industry, and the energy industry.

Credential stuffing is a form of attack where threat actors exploit the bad practice known as “password recycling” – where users reuse their credentials across multiple sites. Threat actors will exploit this bad practice by attempting to use a previously breached account’s credentials across other sites. These attacks typically come in large bursts of traffic, with an actor attempting credentials for multiple breached accounts at once, which can also cause some impacted platforms to sustain significant load spikes as well.

ANALYST NOTES

With a new data breach in the news nearly every day, there are an abundance of credential lists in the wild for attackers to download or purchase. The number and frequency of credential stuffing attacks continue to grow in volume due to the relative ease in which threat actors can procure credential lists, coupled with the increase in automated tools that are created to enable this type of activity. In the end, it is largely on the end user to protect their own accounts by ensuring that they don’t use the same login information across multiple sites. However, there are a few things that can be done from an organizational perspective to protect against these types of attacks. These include having a proactive threat intelligence team/platform to monitor for new data breaches and compare the leaked credential lists against internal employee lists, enabling MFA across all employee accounts, and enabling semi-frequent and mandatory password changes for users to ensure that their password is frequently changed, limiting the possibility that it may be a reused password from elsewhere.

https://www.bleepingcomputer.com/news/security/okta-credential-stuffing-accounts-for-34-percent-of-all-login-attempts/