Credential stuffing is a cyberattack where criminals use lists of stolen usernames and passwords to gain unauthorized access to user accounts on other websites. It relies on the common habit of people using the same login details across different services. For marketers and site owners, these attacks can lead to fraudulent purchases, data theft, and damaged customer trust.
What is Credential Stuffing?
In a credential stuffing attack, an attacker takes a database of credentials from a previous data breach and uses automated tools to attempt to log in to unrelated services. The attacker assumes that a portion of users from the original breach reused their password on the target site.
The term was coined by Sumit Agarwal, co-founder of Shape Security, while he served as a Deputy Assistant Secretary of Defense. While these attacks have a [statistically low success rate of about 0.1% to 2%] (Shape Security), the massive volume of stolen data makes them profitable.
Why Credential Stuffing matters
Credential stuffing is a primary threat because of its ripple effects across the internet. When one service is breached, every other service where those users have accounts becomes a target.
- High ROI for attackers: Even if only 1,000 accounts are cracked out of a million attempts, the stolen data can be sold or used for financial fraud.
- Widespread password reuse: Research shows that [81% of users have reused a password across two or more sites] (SecureAuth), while [85% of users may reuse credentials] (Cloudflare) according to separate estimates.
- Infrastructure strain: The volume of automated login attempts can significantly increase traffic, potentially slowing down or crashing login services.
- Brand reputation: A successful attack often leads to account takeover (ATO), where hackers steal credit card numbers, send spam, or drain stored value from customer accounts.
- Detection difficulty: The [median time to detect a credential compromise is 120 days] (F5 Labs), meaning attackers often have access for months before they are discovered.
How Credential Stuffing works
Attackers follow a specific process to execute these large-scale login attempts.
- Acquisition: The attacker procures a list of stolen credentials from a data leak, often purchased on the dark web or found on password dump sites.
- Automation Setup: The attacker uses bot software (such as Sentry MBA, Selenium, or Openbullet) capable of making thousands of login attempts simultaneously.
- Parallel Execution: The bots "stuff" the login forms of the target website with the credential pairs. To bypass security, the bots originate from many different IP addresses and mimic various device types.
- Validation: The attacker identifies which logins were successful.
- Monetization: Valid accounts are used to steal sensitive data, make fraudulent purchases, or are sold to other cybercriminals.
Best practices for prevention
Organizations must use active technical defenses since they cannot control user behavior.
- Implement Multi-Factor Authentication (MFA): Require users to verify their identity with a code sent to a physical device. This is the most effective defense against credential stuffing.
- Use Bot Management: Deploy services that use IP reputation databases and rate limiting to block automated login attempts without affecting real users.
- Require CAPTCHAs: Use tests that prove a user is human. While some bots can bypass basic CAPTCHAs, they still add a layer of friction for attackers.
- Apply Device Fingerprinting: Collect data points like browser type, time zone, and screen resolution to identify when a single "user" is actually many bots using many IPs.
- Block Headless Browsers: Identify and block software like PhantomJS that lacks a graphical interface, as these are frequently used for automated attacks.
- Rate Limit Non-Residential Traffic: Be skeptical of traffic coming from commercial data centers (like AWS), as these sources are often bots rather than individual users.
Common mistakes
Mistake: Thinking strong passwords protect your users. Fix: Even a long, complex password is useless if it was stolen from another site and is being reused. Focus on uniqueness rather than just complexity.
Mistake: Relying solely on IP banning. Fix: Modern bots use a wide variety of IP addresses. Use behavioral analysis and device fingerprinting to catch bots that change their IP.
Mistake: Using email addresses as the only login ID. Fix: Forbid email addresses as usernames. This reduces the chance that the credential pair matches what was stolen in a previous breach.
Mistake: Blocking all headless browser traffic. Fix: Some "good" bots, like search engine crawlers, use these tools. Ensure your security rules allow verified search engine bots while blocking malicious ones.
Examples
- 23andMe: In 2023, attackers used credential stuffing to access [profile data of approximately 6.9 million users] (TechCrunch). The company later faced a proposed $30 million settlement due to the breach.
- Uber: Attackers accessed an Uber developer's GitHub repository by using credentials compromised in earlier breaches. They eventually obtained access to records for millions of users and drivers.
- Dunkin' Brands: Tens of thousands of loyalty accounts were compromised between 2015 and 2018. The company eventually reached a settlement with the New York Attorney General to reimburse hacked customers.
Credential Stuffing vs. Brute Force Attacks
| Feature | Credential Stuffing | Brute Force |
|---|---|---|
| Strategy | Uses known, leaked credentials | Guesses passwords at random or by pattern |
| Context | Based on previous data breaches | No context; uses random characters |
| Password Strength | Password complexity does not matter | Stronger passwords are harder to crack |
| Efficiency | Highly targeted and efficient | Slow and requires massive computing power |
| Vulnerability | Caused by password reuse | Caused by weak or guessable passwords |
FAQ
How is credential stuffing different from a data breach? A data breach happens when an attacker steals information directly from a company's database. Credential stuffing uses the results of those breaches to attack other companies. If your site is targetted, it doesn't mean your database was stolen: it means your users' credentials from a different site were stolen.
Can marketers see credential stuffing in their data? Yes. A sudden, massive spike in login attempts, especially those with high failure rates, often indicates an attack. You might also see a rise in account-related support tickets or unauthorized transactions.
How do attackers get the lists? Attackers find these lists on the black market or in public "password dumps." Massive collections containing millions or billions of credentials are traded regularly. For example, [more than three billion credentials were spilled in 2016 alone] (Dark Reading).
Does a password manager help? Yes. Password managers allow users to generate and store unique passwords for every site. If a user never reuses a password, a credential stuffing attack against them will always fail.
What is compromised credential checking? This is a technique where websites or browsers check if a user's chosen password appears in a database of known leaks. Using protocols like k-anonymity, sites can verify this without actually seeing the user's password.
