Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Identity & Access

Okta Warns of Credential Stuffing Attacks Using Tor, Residential Proxies

Okta warned of a spike in credential stuffing attacks using anonymizing services such as Tor, DataImpulse, Luminati, and NSocks.

Okta Warns of Credential Stuffing Attacks U

Okta over the weekend warned of a spike in credential stuffing attacks that use various anonymizing services, such as The Onion Router (Tor) network.

In credential stuffing attacks, usernames and passwords obtained from previous data breaches at third-parties, phishing, and other types of attacks are used to compromise valid accounts at the targeted organizations.

“Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials, and scripting tools,” Okta says.

In addition to Tor, these attacks were also seen leveraging a series of residential proxies, including DataImpulse, Luminati, and NSocks.

According to Okta, the spike in credential stuffing activity could be linked to a mass brute-force campaign that Cisco warned about roughly two weeks ago.

The brute-force attacks, which also used Tor and other anonymizing services, targeted multiple VPN services, web application authentication interfaces, and SSH services with generic usernames and valid usernames for specific organizations.

Cisco observed a global increase in such attacks starting March 18, but said that the campaign did not appear to target a specific geography or industry vertical.

According to Okta, starting April 19, similar anonymizing infrastructure has been increasingly used in credential stuffing attacks, with most of the observed traffic originating from residential proxies, such as end-user mobile devices and browsers, rather than from the IP space of virtual private server (VPS) providers.

Advertisement. Scroll to continue reading.

Residential proxy networks consist of legitimate devices that route traffic on behalf of paid subscribers. Some providers of such services, however, are not transparent about now they enroll devices, and may build their networks using ‘proxyware’ and even malware.

More recently, Okta points out, numerous mobile devices have been enrolled in residential proxy networks through mobile applications built using specific SDKs, without device owners’ knowledge.

To mitigate the risk of these attacks, Okta recommends blocking requests from anonymizing services, blocking requests from IPs involved in such activity, implementing good password hygiene, implementing multi-factor authentication (MFA), adopting passwordless authentication, and monitoring and responding to anomalous behavior.

Related: Cisco: Multiple VPN, SSH Services Targeted in Mass Brute-Force Attacks

Related: 340,000 Jason’s Deli Customers Potentially Impacted by Credential Stuffing Attack

Related: Sisense Data Breach Triggers CISA Alert and Urgent Calls for Credential Resets

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights