AdGuard adblocker resets passwords after credential-stuffing attack

Popular adblocker AdGuard has taken the decision to reset all user accounts after being on the receiving end of a credential-stuffing and brute-force password attack last Thursday.
Said the company’s security notice:

Today we detected continuous attempts to login to AdGuard accounts from suspicious IP addresses which belong to various servers across the globe.

AdGuard said it had detected the unusual login attempts and blocked them but decided to issue a full password reset because it couldn’t be certain which of the credential-stuffing attempts had been successful.
Account resets normally happen after data breaches, so was the password reset necessary? Absolutely – despite the hassle for users, AdGuard has done the right thing.
Could it have better protected itself against this kind of attack? Interestingly, yes, but to understand why, we need to examine what happened more closely.

Credential menace

Credential stuffing is a type of attack where cybercriminals get hold of passwords and usernames from one data breach and then use them on lots of other websites to see if any work there too.
Because a lot of users have got into the bad habit of reusing the same passwords across several websites, the tactic is successful at least some of the time.
All attackers need is a credential-stuffing tool and a bot made up of compromised hosts that can be used to spread the attack traffic across different IP addresses to make detection and blocking harder.
While credential-stuffing attacks are not new, figures from the content delivery network and cloud services provider Akamai show its customers saw 30 billion malicious login attempts in the eight months to June 2018, a big rise compared to last year.

The AdGuard attack

Judging from its description, AdGuard experienced two types of attack – a credential stuffing attack and a generic brute-force attack where the perpetrators simply try lots of common weak passwords to break into accounts.
Brute-force attacks should be easy to spot because lots of incorrect passwords fired at the same account will stand out as unusual. Credential-stuffing attacks can be even noisier because the spike in activity affects large numbers of accounts at the same time.
One defence is rate limiting – locking accounts after a specified number of incorrect passwords – but as AdGuard admits, this is powerless to stop an attacker who already knows the correct password stolen during a third-party data breach.
That login would have appeared indistinguishable from the real user performing the same action which is why AdGuard was wise to issue a general password reset for everyone.
However, if AdGuard and its users had implemented even quite basic two-factor authentication (2FA) then the credential-stuffing attack would have quickly floundered (the attackers would have had the correct password but not the additional factor). AdGuard has admitted this and says it plans to introduce 2FA in future:

We physically can’t implement it in one day, but this will be our next step and we will let you know about it as soon as its done.

Commendably, AdGuard does prevent people from using passwords that are part of the Have I Been Pwned? (HIBP) database, although it’s still possible to change a password to anything else after sign-up.

Who is affected?

Anyone running an AdGuard paid version should have an account that requires a password reset, including the Windows and Mac desktop applications as well as paid mobile accounts for Android or iOS.
AdGuard browser extensions for Chrome, Firefox, Safari, Edge, Opera, and Yandex seem to be free to use and aren’t connected to accounts that require a reset.