FBI says credential stuffing attacks are behind some recent bank hacks

The FBI is raising a sign of alarm about the rising number of credential stuffing attacks targeting financial institutions.
Written by Catalin Cimpanu, Contributor

The FBI has sent a private security alert to the US financial sector last week warning organizations about the increasing number of credential stuffing attacks that have targeted their networks and have led to breaches and considerable financial losses.

Credential stuffing is a relatively new term in the cyber-security industry.

It refers to a type of automated attack where hackers take collections of usernames and passwords that leaked online via data breaches at other companies and try them against accounts at other online services.

These attacks aim to identify accounts where users reused passwords and then gain unauthorized access over the user's profile and attached resources.

Credential stuffing attacks weren't always an issue, but they became one in the late 2010s after hackers leaked billions of usernames and password combinations from hundreds of companies over the past five years.


Slowly, hackers began collecting these leaked credentials and trying them against various online services. At first, they targeted online gaming and food-ordering accounts, but as the tactic proved to be more and more successful, more professional hacking groups switched to targeting accounts at online banking services and cryptocurrency exchanges, aiming to steal financial assets.

Credential stuffing is now a major problem for banks

According to an FBI security advisory obtained by ZDNet today, credential stuffing attacks have increased in recent years and have now become a major problem for financial organizations.

"Since 2017, the FBI has received numerous reports on credential stuffing attacks against US financial institutions, collectively detailing nearly 50,000 account compromises," the FBI said.

"The victims included banks, financial services providers, insurance companies, and investment firms."

FBI officials said that many of these attacks targeted application programming interfaces (APIs) since these systems are "less likely to require multi-factor authentication (MFA)" and are less monitored than user-facing login systems.

The FBI also noted that some credential stuffing attacks have been so massive, with authentication requests packed together without cool-out periods, that they brought down authentication systems at some financial organizations, with some targets believing they were being DDOSed and not under a credential stuffing attack — incidents that the F5 Networks cyber-security unit also reported last year.

Credential stuffing attacks also didn't target just user profiles, the FBI said, but they also targeted employee accounts, with the attackers aiming to access high-privileged accounts as well.

Some of these attacks failed, but others also succeeded and led to multi-million dollar losses at some organizations over the past year.

According to the FBI, recent major incidents included:

  • In July 2020, a mid-sized US financial institution reported its Internet banking platform had experienced a "constant barrage" of login attempts with various credential pairs, which it believed was indicative of the use of bots. Between January and August 2020, unidentified actors used aggregation software to link actor-controlled accounts to client accounts belonging to the same institution, resulting in more than $3.5 million in fraudulent check withdrawals and ACH transfers. However, reporting does not indicate whether the increased logins and fraudulent transactions could be attributed to the same actor(s).
  • Between June 2019 and January 2020, a NY-based investment firm and an international money transfer platform experienced credential stuffing attacks against their mobile APIs, according to a credible financial source. Although neither entity reported any fraud, one of the attacks resulted in an extended system outage that prevented the collection of nearly $2 million in revenue.
  • Between June and November 2019, a small group of cyber criminals targeted a financial services institution and three of its clients, resulting in the compromise of more than 4,000 online banking accounts, according to a credible financial source. The cyber criminals then used bill payment services to submit fraudulent payments—about $40,000 in total—to themselves, which they then wired to foreign banking accounts. According to a 2020 case study on one of the firms, security researchers identified more than 1,500 email addresses and 6,000 passwords exposed in more than 80 data breaches. Some of the credentials belonged to company leadership, system administrators, and other employees with privileged access.

The FBI security advisory, which you can read in full here, warns financial institutions to take protective measures about the ever-growing threat of credential stuffing.

The alert includes basic detection strategies and mitigation advice that can be universally applied across all sectors, and not just for companies active in the financial vertical.

Editorial standards