Wondering Engineer

How sustainable is credential stuffing?

··Stephan
Table of Contents

The inception of the thought

So the inspiration for this thought came after I checked the authenticator for an email address I don't actively use any longer (and which I may have generously used during my youth). I was surprised to see how many malicious attempts were made daily to login into the account, with a quick glance showing 11 attempts made on the day of me writing this paragraph alone. What struck me as interesting was that these attempts spanned across the globe. Seeing as this account really holds little value and is this popular already, it begs the question how many other accounts are experiencing this especially when they hold some value.

Hack attempts

The realisation that this global effort exists to gain access to my account, among others, made me think about the thousands of kilometres of network infrastructure and countless devices that are being used to just repeatedly bash their heads against random accounts with the hope of granting them access. Granted at this scale even a 0.5% success rate would still yield them hundreds if not thousands of accounts to exploit or sell on. That being said, such a brute force approach can't be very efficient and I wonder what the resulting environmental impact must be.

Out of the gate im going to already manage your expectations by saying that answering this question on the climate impact of hackers based on their energy consumption will be rather difficult to tackle. Especially when one considers that they likely aren't reporting their consumption nor are they purchasing carbon credits to offset their impact for any "genuine" purposes. But this makes this topic all the more interesting to read up on as im sure there's a whole (under)world of learning to be had. Since I am not expecting to get anywhere near a confident answer, I would instead like to at least come close to the order of magnitude that we could expect it to be within. In this article I would like to try to get an understanding of:

  • How my account came into the lists of all of these hackers?
  • What is the scale of all this account hacking business?
  • What assumptions can we make on the energy consumption?
  • Finally answer the question, how bad for the climate can this all be?

How my account came into the lists of all of these hackers?

Well now we get to go into the exciting and enigmatic topic of the "black market". In the past fraudulent sign in attempts were brute forced with hackers often trying strings of random but likely passwords. This had a low success rate compared to the current approach which is credential stuffing. This practice sees large lists of user details and passwords being compiled. From these lists its possible, among other things, to use these details to try and access other accounts that may be connected to the breached account. This is why its so important to have unique passwords to all accounts to prevent this bridge from ever existing.

It has been estimated that as little as 15 billion credentials have been breached over more than 100,000 breaches. That's a lot of accounts, and there is a good chance that some of those credentials will overlap with other accounts with similar details. In fact its been estimated that the success rates range between 0.1% and 1%. That's between 15,000,000 and 150,000,000 accounts that could be breached.

But why go through all of this effort? As I understand it there is a market for these accounts and depending on the platform they are on and the region (europe it turns out is the most valuable) some accounts can be sold for as much as $32 per account. So there can be some decent financial incentive once these scale to the orders of magnitude we are talking about.

So there is a good chance one of the accounts I made when I was younger got breached and those credentials added to these lists that are marketed. As a result these credentials will be used to attempt to access other services using the same email address. Thankfully my OpSec has improved a great deal from when I was thirteen and I have tried to exercise best practices in password management and account management.

Unfortunately, since this network of cybercriminals operates on a decentralised system there will never really be a clear feedback loop to stop access attempts when the list is ultimately passed on to another group. The best I can do there is to regularly update my passwords, and continue monitoring these accounts from time to time.

What is the scale of all this account hacking business?

"Hacking business" is maybe a broad statement, so really the scale im trying to understand here will rather be surrounding fraudulent credential stuffing attempts. Hopefully with that narrowed down scope we can find some tangible values.

Back in 2019 Microsoft released a blog post that stated their services combined experience around 300 million fraudulent sign in attempts A DAY. Similarly, in 2022 Okta's Auth0 detected that 34% of all traffic across their network were credential stuffing attempts, amounting to (and coincidentally) around 300 million attempts per day as well. Okta boasts covering two-thirds of the fortune 100 among thousands of other businesses. If we had to take into account the explosive development in deep learning and automation that followed 2019, its likely safe to assume that value to be far higher today. If we were to then extrapolate from these two sources to include the other major services out there (think government and the big MAANG services) then we could easily expect this value to easily be in the billions per day. To temper those estimates however, a comprehensive study by Akamai showed that there were only 193 billion stuffing attacks in the year of 2019, which would only be around a half-billion attempts per day.

Having to account for a growth over the last few years of 45% all the way up to 282% year-on-year growth we can expect the value to be much higher today. Playing on the conservative side we will work with the 45% which would place the current attempts per day in the range of 2-billion stuffing attempts per day.

What assumptions can we make on the energy consumption?

This is really where we start sucking out thumbs for values. As difficult as a topic as sustainability is for industries actively trying to monitor it, the complexity of the internet, its associated infrastructure and the global nature of it make it a monumentally difficult subject to quantify. Is this going to stop me? No, but its definitely going to make it extra difficult to have any confidence in these values.

So we need to quantify the amount of information transferred during a login attempt. From there we can use that estimate, combined with the energy cost for a single unit to calculate a ROM for the energy required. Far outside of my area of expertise im finding the number of packets ranging from as low as 6, all the way up to a few hundred.

A lovely response on Reddit broke a similar problem down with an assumption of an ISP end-to-end packet being around 800 bytes. From there they were able to conclude that a packet consumed around 3.33e-7 kWh. If you have a better source I would love to hear more about it!

We can then estimate a rough energy consumption per login attempt to be anywhere between 20e-7 kWh and 13e-5 kwh. This was estimated using the packet estimates for login attempts multiplied by the energy estimate I scrounged up from the helpful reddit post.

Finally answer the question, how bad for the climate can this all be?

So since we now have a VERY rough range for the order of magnitude which is anywhere between $10^{-7}$ and $10^{-5}$ kilowatt hours, we can begin estimating what that carbon impact would be. Statista had an interesting figure that pinned the global power sectors emissions at 481 grams of CO2 per kWh. There is probably something to be said about using a global average especially when these operations really vary on the sustainability of the energy they are drawing from.

If we calculate this generously and say that each log in attempt is closer to the higher estimate of 13e-5 kwh, then we get to about 260,000 kwh per day on credential stuffing attempts. Take that over 365 days (assuming hackers have no weekends), and we are at ~95,000,000 kwh for the year. That seems like a high number, and when we calculate how many grams of CO2 are emitted it gets even larger. That figure is about ~45000 tonnes of emitted CO2.

As it turns out the international energy agency estimated that in 2023 alone, we as a planet produced a total of ~37.4 billion tonnes of energy related CO2. That's a really big number, with about 65% of it coming from coal related generation alone. If we compare that to our figure, then its a drop in the bucket (or even some nanoparticle in said bucket). Comparing these figures gives us that credential stuffing would be about 0.0001% of the global energy emissions.

Thoughts on the answer

I was honestly expecting a slightly more significant figure, but at the same time I think its always difficult for us to realise just how big the global energy sector is. That of course makes sense given how much everything depends on it these days, but when you're comparing many different high order of magnitude figures you think that it can have a huge impact. In this case that was thankfully not the case, however, there is another side to all this that needs to be considered.

I was really curious about the environmental/practical implications of these credential stuffing attempts. I failed to really consider the impact of these actors on individuals like you and I at the end of the day. Especially under a successful attempt. The time lost having to regain access, manage passwords, and even worse dealing with lost funds or impacts to ones reputation as a result of these malicious actors requires some further reading. I feel this is really relevant as we only continue to digitise our lives further, and become more dependent on this symbiotic relationship we deepen on a daily basis with technology.

I think in the greater pareto of improving our emissions this is inconsequential. And off the cuff here, I think in some ways these actors may gradually become more sustainable as the market powers are now in favour of solar. What will remain are still the social injustices that we will continue to face. The cat and mouse game between the tech industry and these actors will remain, and grow in size. Data driven methods are going to be one of these key drivers in its growth, so it will be imperative for us as a society to educate others on proper personal and professional OpSec, so that we can better protect ourselves from these forces.

I think that leaves some nice questions for the backlog:

  • What are the social impacts of hacking/malicious actors in technology?
  • What would an OpSec survival guide for the 21st century look like?