What is credential stuffing?

This cyber-attack type relies on credentials databases available for sale on Dark Web marketplaces. Such databases are often compiled from publicly leaked breaches and are also shared on forums beyond the Dark Web. One 2020 audit found 15 billion credentials on sale, deriving from 100,000 data breaches. Two RockYou uploads added 20 billion more credentials between 2021 and 2024.

Credit processor Mastercard reports that the quality of credentials used is improving, making credential stuffing even more dangerous. As a result, every organization is vulnerable and should assess its exposure to compromised credentials.

How credential stuffing works

Credential stuffing attacks tend to follow a similar playbook:

1. Setting up bots to launch an attack

Attackers set up botnets (networks of bots). These bots are automated tools designed to launch login attempts against target networks.

Attackers often conceal their identities to work around network security systems. Sophisticated attacks use bots with multiple IP addresses. These bots appear to originate from many locations. This attack style defeats defenses reliant on banning IP addresses after repeated failed login attempts.

2. Attacking the target

Bots draw on databases of compromised credentials, using them to access high-value targets.

For example, their data set may feature millions of logins from customers of eCommerce websites. Their target could be a bank or insurer with a similar customer base. The credential stuffing attack may succeed if clients re-use the same passwords for the bank and eCommerce websites.

The success rate of credential stuffing attacks is around 0.1%. In other words, 1 in 1,000 accounts match credentials and enable access to the target network. Attackers use massive datasets with millions of credentials to improve results. Despite the low rate, the high volume of attempts keeps the risk significant.

0.1% sounds like a low success rate. However, credential stuffing works with data sets featuring millions of usernames and passwords. A typical attack could yield thousands of successes. Every account takeover can lead to direct withdrawals or ransomware payments, making speculative attacks worthwhile.

3. Spreading the credential stuffing attack

Credential stuffing attacks often don't stop with one successful access request. Compromised credentials may work across many accounts, enabling attackers to increase their returns.

Automated tools scan multiple websites after successful logins. This technique makes credential-stuffing attacks more efficient and exploits known password usage trends. Around 78% of people use the same credentials on many websites.

If credential stuffing succeeds on an individual's banking account, it probably works on their health insurer, accountant, or retail accounts.

4. Leveraging an account takeover

Attackers may take a long-term approach and use account access to monitor users. If they remain undetected, cybercriminals can extract credit card numbers, transaction details, regular contacts, employer details—and many other valuable forms of data.

In this way, a credential-stuffing attack can lead to identity theft and more damage in the future. Attackers can use confidential information for social engineering or target company executives in whaling attacks.

5. Data storage and sale

Credential stuffing also generates a large amount of valuable data for other purposes. Attackers transfer data to secure locations and build datasets for sale to third-party threat actors, enabling additional attacks.

Data obtained via credential stuffing is often far more valuable than simple credential sets, creating an instant profit for successful attackers. For example, credit card numbers and PayPal logins sell for around $20-100 on the Dark Web, while identity portfolios retail for over $1.000.

Credential stuffing vs. brute force attacks

Credential stuffing isn't the only password-related network security threat. Attackers can also seek access via brute force attacks. These attack types use different techniques, and companies need security strategies to mitigate both.

As the name suggests, brute force attacks try to overwhelm network gateways with password variations.

Simple brute force attacks guess user passwords based on their user name and common forms of weak passwords. For instance, many people use "admin" for router passwords of "myname123" to save time.

Attackers may use clusters of words related to known user names in "dictionary" attacks. Some attacks combine words linked to the username with common number sequences ("hybrid" brute force attacks). Threat actors can also reverse the process, guessing user names based on leaked passwords.

Credential stuffing is a more targeted approach. Instead of relying on guesswork and processing power, credential stuffing attacks use known information to improve their success rate. Both attack types employ trial and error, but credential stuffing is more efficient.

What are the effects of a credential-stuffing attack?

The most immediate consequences of a credential-stuffing attack are user account breaches. Attackers gain access to many user accounts. They can use privileged access to steal information held by these accounts, withdraw funds, or make purchases.

Repeated login attempts may also trigger automatic lockouts for legitimate users. Users may need to re-set their passwords, causing annoyance and leading to lost business.

Attackers can go further, staging an account takeover. Users may then need to pay ransoms or lose their accounts entirely.

Even worse, credential stuffing can lead to secondary attacks. Attackers may use sensitive information in phishing campaigns. Targets may not know their accounts are compromised, allowing malicious actors to pose as legitimate contacts.

Successful credential-stuffing attacks inevitably have severe costs for affected businesses. According to IBM, the average data breach costs companies $4.88 million worldwide and $9.36 million in the USA. Companies may also face regulatory penalties for failing to safeguard customer data.

These consequences are not abstract. Credential stuffing is responsible for many high-profile cyber-attacks. For example, in 2018, banking giant HSBC reported a 10-day data breach affecting customer's private data. Attackers used credentials leaked elsewhere to breach HSBC accounts in the USA.

Other major corporations have reported credential-stuffing incidents in recent years. Targets include Spotify, Netflix, PayPal, and Zoom. Even businesses with cutting-edge cybersecurity protection are at risk.

How to prevent credential stuffing

Credential stuffing attacks have significant consequences and can affect any business. As a result, companies need comprehensive security strategies to lock down access points, detect malicious intrusions, and allow smooth access for legitimate users.

Use multi-factor authentication

Multi-factor authentication (MFA) requires unique credentials for every login attempt and should be the top priority for companies seeking to prevent credential stuffing.

Authentication factors include biometrics or one-time passcodes sent to mobile devices. This method prevents reliance on traditional usernames and passwords, reducing exposure to credential-stuffing attacks.

Device Posture Security

Device Posture Security tools screen the devices connecting to your network. DPS ensures connected devices meet network rules and blocks login attempts from devices that fail to match those requirements. Filters may also employ digital fingerprinting to identify legitimate devices more accurately.

IP allowlisting

Credential stuffing bots rely on IP addresses to mount attacks and conceal their activity. Companies can configure firewalls to allow approved IP addresses and block everything else (also known as allowlisting).

Firewalls may also draw on threat intelligence databases to block known malicious IP addresses and counter existing credential-stuffing agents.

Protect web applications

Websites are common targets for credential-stuffing attacks and require specific security measures. CAPTCHA forms can catch simple credential-stuffing bots by requiring users to supply complex data before gaining access. However, some malicious browsers work around CAPTCHA efficiently.

The best solution is using Javascript threat detection tools to block "headless" browsers like PhantomJS. This helps prevent credential stuffing attacks on web applications or customer data forms.

Enforce strong password policies

The most important step is using different passwords for different environments. Passwords should never overlap across systems.

Weak password policies also open the door to credential stuffing attacks. Companies should require strong passwords that avoid words connected to the user and mix numbers, letters, and characters. Encrypted password managers enable users to manage many strong passwords efficiently.

Users should regularly change their passwords. Security teams should also monitor threat intelligence feeds and require password changes following data breach alerts.

Another common mistake is using the same User ID for network access and email clients. Make IDs mandatory for every service. Prohibit account sharing where possible.

Organizations can minimize their exposure to password-based attacks. However, it may not be possible to prevent all credential-stuffing attacks. Human error is always present. While cyber-attackers steal data in vast quantities, credentials will eventually fall into the wrong hands.

Companies should combine the security tools listed above with robust network security tools. Encrypt data, use Virtual Private Networks, and apply network segmentation. That way, you can limit the damage caused by credential theft and avoid costly data breaches.