For the best web experience, please use IE11+, Chrome, Firefox, or Safari

What is credential stuffing?

Credential stuffing is a cyberattack in which stolen usernames and passwords, often exposed via data breaches, are used en masse to gain unauthorized access to user accounts on other platforms.

If a cybercriminal obtains someone’s login information from one compromised website, they can attempt to use it on other websites where the person may have accounts, potentially hijacking their email, bank accounts, social media profiles and more.

How credential stuffing works

Let’s start with an analogy. Imagine a robber gets his hands on a giant keychain that contains hundreds of keys. He walks down a street, trying each key on every car door he encounters. Sooner or later, statistically speaking, he'll find a car that one of his keys unlocks. Credential stuffing works in a similar way, but instead of physical keys and car doors, it uses stolen login credentials and online accounts.

Here’s a step-by-step breakdown of a typical credential stuffing attack:

  1. Attackers acquire a large database of username-passwords pairs. These can be purchased from the dark web, harvested from previous data breaches that targeted password managers or single sign on services or obtained through phishing scams.
  2. The attackers use automated bots or scripts to test the stolen credentials against popular online services. These credential stuffing bots can often attempt logins on hundreds of websites at the same time. Some can even bypass basic security measures like CAPTCHAS and slow down login attempts to avoid detection and blacklisting.
  3. If a username-password combination from the stolen list matches a valid account on any of the target websites, the attacker gains unauthorized access.
  4. Once inside an account, the hacker can steal personal information, make fraudulent purchases or even launch subsequent attacks on other linked accounts.
How credential stuffing works

Credential stuffing vs. password spraying

Credential stuffing and password spraying both exploit weak password practices and password fatigue, but they differ in their approach. Let’s explore these differences

In credential stuffing, cybercriminals use automated tools to inject compromised credentials into online services. Password spraying, on the other hand, uses a limited set of commonly used passwords against a large list of user accounts.

The goal of credential stuffing is to take advantage of password reuse and compromise as many accounts as possible, whereas the aim of password spraying is to identify accounts with weak or easily guessable passwords.

Credential stuffing attacks typically have a higher success rate if the hacker uses a large and recent database of stolen credentials. Conversely, the success rate of password spraying depends on the weakness of the passwords chosen by the users of the targeted platforms.

How to prevent credential stuffing

As with every cyber threat, prevention is a more effective approach than scrambling for a cure after the fact. Here are some steps you can take to harden your infrastructure against credential stuffing and similar attacks:

  • Enable multi-factor authentication: Require users to authenticate using more than one factor, for example, a password and a one-time code sent to their mobile device. MFA is often regarded as the single most effective defense against credential stuffing as it can prevent compromise even if credentials match. A Google study found that MFA is 100% effective against automated attacks like credential stuffing.
  • Educate users about password hygiene and credential management: Encourage users to create strong, unique passwords for each account and to not reuse passwords across different platforms/accounts. Moreover, guide them on how to use password management tools for secure storage and management of passwords.
  • Monitor for data breaches: Monitor for data breaches that may have exposed your user credentials. Websites like Have I Been Pwned are useful resources in this regard – and your chosen IAM solution should do this out of the box for every corporate account.
  • Develop a security-first culture: Cultivate a security-conscious environment within your workplace to ensure ongoing protection against credential stuffing and other security incidents. This can include:
    • Regularly educating employees about evolving cyber threats like zero-day exploits, ransomware, advanced malware and MFA fatigue attacks (where attackers overwhelm users with MFA requests to gain access authentication).
    • Conducting simulated phishing attacks to test employee awareness and preparedness against common vulnerabilities.
    • Empowering a group of employees to become security champions within their departments.

How to detect a credential stuffing attack

Implement these security controls:

  • Track login attempts and analyze them for patterns that indicate credential stuffing, like multiple failed attempts from different IP addresses within a short period.
  • Use strong CAPTCHA challenges or rate-limiting mechanisms to deter automated login attempts. This will prevent attackers from executing large-scale credential stuffing attacks
  • After a certain number of failed login attempts from a particular IP, the system should block further attempts from that IP address and raise an alert
  • Implement adaptive or risk-based authentication. It will help you examine user login behavior to identify anomalies. For example, a sudden login attempt from a geographically distant location can be a red flag.

Examples of credential stuffing attacks

Now, let's look at some real-life cyberattacks that were carried out through credential stuffing:

In 2019, Starling Bank was the victim of a credential stuffing attack. Malicious actors bombarded the bank's login system with stolen usernames and passwords. Even though the success rate remained a relatively low 0.23%, the incident led to severe financial losses for the bank.

In 2019, food delivery service Deliveroo suffered a credential stuffing attack. Attackers compromised customer accounts, which were then sold for just $6 each on the dark web.

In 2023, a credential stuffing attack compromised roughly 14,000 user accounts on the genetic testing platform, 23andMe.

Conclusion

Credential stuffing is a dangerous cyberattack that can affect any organization. This technique relies on the fact that many people reuse the same login credentials across multiple accounts, a risky habit that creates a single point of failure for their online security.

To detect, mitigate and prevent credential stuffing, it’s important to understand how it works, enforce the aforementioned security controls, educate users about password hygiene and security best practices, implement regular monitoring mechanisms and stay vigilant for data breaches.

Modern Multi-Factor Authentication for Secure apps and data

OneLogin Protect was purpose-built for use with OneLogin’s Platform and provides a seamless, integrated user experience for MFA.