FBI Issues Warning on Credential Stuffing Attacks

The FBI has issued a warning stating that proxies and configurations are being used by cybercriminals to mask and automate credential stuffing attacks on U.S. companies, resulting in financial losses associated with fraudulent purchases, customer notifications, system downtime and remediation as well as repetitional damage.


Leveraging the proxies and configurations automates the process of attempting logins across various sites and facilitates the exploitation of online accounts. The warning states that there are numerous publicly accessible websites that offer compromised credentials for sale, and the FBI found that two of them had over 300,000 unique sets of credentials obtained from credential stuffing.

Industry experts weighed in on the FBI's warning and how organizations can protect themselves from the threat of credential stuffing.


Gunnar Peterson, CISO, Forter


“Attackers are reaching a new level of sophistication well beyond what passwords and even MFA can handle alone. This is because the attacks target the access control and identity provisioning layers to bypass protections that surround company data and accounts. When an attacker can leverage a password, account profile reset, or MFA prompt for malicious purposes, the company's protective layer falls away. This means that technologies like fingerprinting and account takeover monitoring are more important than they have ever been.”


Ralph Pisani, President, Exabeam


"Credentials are supposed to be the castle's front gates - they are the new perimeter, but SOCs still fail to detect credential-based attacks. As a result, the cybersecurity industry must rethink its strategy to analyze how credentials are used and stop intrusions before they become more significant issues like the ones discussed in the recent FBI warning.


Proper education, feedback loops, visibility, and effective technical capabilities are the keys to identifying and responding to attacks caused by compromised credentials. The most effective defender capability is the development of a baseline for normal employee behavior, specifically to assist organizations with identifying the use of compromised credentials for initial access and later maintaining network access. If you can establish normal behavior first, only then can abnormalities be known - a great asset in uncovering unknowingly compromised accounts."


Neil Jones, director of cybersecurity evangelism, Egnyte


"The recent privacy industry notification by the U.S. FBI is a stark reminder that organizations and their website users still have a lot to learn about effective password safety. For as long as I can remember, easily-guessed passwords such as 123456, qwerty and password have dominated the global listing of most commonly-used passwords, and they are undoubtedly in use in most corporate settings. Unfortunately, weak passwords can become a literal playground for cyber-attackers, particularly when they gain access to your organization's remote access solution to view corporate users' ID details or to email systems to impersonate your legitimate employees. Key components of an effective password management program that reduces the probability of credential stuffing attacks include:

  • Use of multi-factor authentication (MFA), which recent reports indicate only 89% of mid-sized organizations utilize to access all of their services.

  • Employee education about the significance of password safety, social engineering awareness and spear-phishing avoidance.

  • Establishment of mandatory password rotations, including forcing employees to change their passwords and passphrases on a routine basis.

  • Re-visiting your company's account lockout requirements to ensure that users' access is immediately disabled after a minimum number of failed login attempts.

  • Reminding users that they should limit access to personal websites on their business devices and never re-use business credentials on personal websites.”


###