The FBI has sent a private security alert to the US financial sector last week warning organizations about the increasing number of credential stuffing attacks that have targeted their networks and have led to breaches and considerable financial losses.
Credential stuffing is a relatively new term in the cyber-security industry.
It refers to a type of automated attack where hackers take collections of usernames and passwords that leaked online via data breaches at other companies and try them against accounts at other online services.
These attacks aim to identify accounts where users reused passwords and then gain unauthorized access over the user's profile and attached resources.
Credential stuffing attacks weren't always an issue, but they became one in the late 2010s after hackers leaked billions of usernames and password combinations from hundreds of companies over the past five years.
Slowly, hackers began collecting these leaked credentials and trying them against various online services. At first, they targeted online gaming and food-ordering accounts, but as the tactic proved to be more and more successful, more professional hacking groups switched to targeting accounts at online banking services and cryptocurrency exchanges, aiming to steal financial assets.
According to an FBI security advisory obtained by ZDNet today, credential stuffing attacks have increased in recent years and have now become a major problem for financial organizations.
"Since 2017, the FBI has received numerous reports on credential stuffing attacks against US financial institutions, collectively detailing nearly 50,000 account compromises," the FBI said.
"The victims included banks, financial services providers, insurance companies, and investment firms."
FBI officials said that many of these attacks targeted application programming interfaces (APIs) since these systems are "less likely to require multi-factor authentication (MFA)" and are less monitored than user-facing login systems.
The FBI also noted that some credential stuffing attacks have been so massive, with authentication requests packed together without cool-out periods, that they brought down authentication systems at some financial organizations, with some targets believing they were being DDOSed and not under a credential stuffing attack — incidents that the F5 Networks cyber-security unit also reported last year.
Credential stuffing attacks also didn't target just user profiles, the FBI said, but they also targeted employee accounts, with the attackers aiming to access high-privileged accounts as well.
Some of these attacks failed, but others also succeeded and led to multi-million dollar losses at some organizations over the past year.
According to the FBI, recent major incidents included:
The FBI security advisory, which you can read in full here, warns financial institutions to take protective measures about the ever-growing threat of credential stuffing.
The alert includes basic detection strategies and mitigation advice that can be universally applied across all sectors, and not just for companies active in the financial vertical.