What is a credential stuffing attack and how to defend against it?

ByPerceptus

What it a „credential stuffing” attack?

A „credential stuffing” attack is a type of cyberattack in which an attacker uses stolen authentication data – usually lists of usernames or email addresses and corresponding passwords that were compromised in a data breach. The attacker uses data to gain unauthorized access to user accounts on other systems by performing automated login attempts on a massive scale.

Unlike “brute force” methods, credential stuffing attacks do not rely on guessing passowrds – they are based on previously obtained combinations of logins and passwords. Tools such as Selenium, cURL, PhantomJS, or specialized applications like Sentry MBA, SNIPR, STORM, Blackbullet, or Openbullet enable the automation of such login attempts.

These attacks are primarily effective because many users reuse the same usernames and passwords across different platforms. Statistics indicate that as many as 81% of people use the same password on at least two sites, and 25% users use identical passwords for most of their accounts. According to estimates, the login secures rate for such attacks is up to 2%, meaning that from one million stole credentials, approximately 20,000 accounts can be taken over.

How does such an attack proceed?

The process of a credential stuffing attack can be divided into several stages:

  1. Acquistion of credentials: attackers obtain sets of logins and passwords as a result of data breaches, phishing, or by purchasing them on darknet forums.
  2. Automated testing: Using automation tools, they test this data on various websites, such as social media portals, e-commerce platforms, or web applications.
  3. Verification of success: If a login is successful, the attackers know they have working credentials.
  4. Further actions: After gaining access to accounts, they may:
    • Steal financial funds or make unauthorized purchases.
    • Gain access to sensitive data, such as credit card numbers, private messages, or photos.
    • Use accounts to send spam or phishing messages.
    • Sell verified credentials to other cybercriminals.

How to defend against it?

For individual users

  1. Unique and strong passwords: Ensure that every one of your accounts has a different password, consisting of at least a dozen charactersm including letters (lowercase and uppercase), numbers and symbols.
  2. Using password managers: These tools help create, store and manage strong passwords, eliminating the need to memorize them.
  3. Multi-Fator Authentication (MFA): Enable MFA wherever possible. Even if someone obtains your password, they will not be able to log in without an additional authentication factor, such as an SMS code or an app notification.
  4. Account monitoring: Regularly check if your accounts have appeared in public data breaches using services like “Have I Been Pwned?“.


For organizations

  1. Enforcing a strong password policy: Require employees to create strong, unique passwords and change them regularly. Password managers help IT administrators enforce security rules, such as minimum length, uniqueness, and regular changes.
  2. Implementing MFA: Apply multi-factor authentication for all employee accounts.
  3. Anomaly monitoring: Use SIEM systems to detect unusual login patterns, such as multiple failed attempts in a short period.
  4. Employee training: Regularly educate staff on cybersecurity, sensitizing them to the threats resulting from data leaks.
  5. Using CAPTCHA: Adding CAPTCHA mechanisms during login can significantly hinder automated login attempts.
  6. IP Blocking: Implement IP blocking mechanisms upon detecting suspicious activity.

Examples of credential stuffing attacks

  1. Attack on Superdrug (2018): The British beauty retailer fell victim to an extortion attempt when cybercriminals claimed to have gained access to 20,000 customer accounts. This data likely originated from previous breaches and was used in a credential stuffing attack.
  2. Attack on Uber (2016): Hackers gained access to Uber’s private GitHub repository using employee credentials compromised in other leaks. As a result, they stole the data of millions of users and drivers, leading to financial penalties for the company.
  3. Attack on Zoom (2020): During the COVID-19 pandemic, the Zoom platform became a target for numerous credential stuffing attacks, resulting in thousands of user accounts being exposed online.

Credential stuffing attacks pose a serious threat to both individual users and organizations. The key to protection is the use of unique passwords, the implementation of multi-factor authentication, and the monitoring of online activity. Organizations should invest in advanced anomaly detection systems and educate their employees on cybersecurity. Using password managers can significantly increase the level of security, both by supporting the creation of strong, unique passwords and by managing them effectively.

FAQ – Frequently Asked Questions

How to recognize a credential stuffing attack?

The most common symptoms of an attack are:

  • unauthorized logins to user accounts,

  • an increase in the number of failed login attempts,

  • user complaints regarding account takeovers,

  • an increase in bot activity within the system.

Login credentials most often come from previous data breaches that are publicly available or sold on the darknet. Popular sources include databases originating from compromised security at online stores, social media portals, and forums.

Credential stuffing uses real login data obtained through leaks or phishing and then tests it on other services. In contrast, a brute force attack involves random password guessing. Credential stuffing is more effective because it relies on already known combinations.

A password manager, such as perc.pass, significantly increases user resistance to credential stuffing attacks because it allows for the generation and use of unique, strong passwords for every account. This reduces the risk of leaked data being reused on other services.

You can verify this by using tools such as HaveIBeenPwned.com or leak monitoring features available within password managers. Regular monitoring allows for early problem detection and response, such as changing the password.

Looking to enhance your cybersecurity?

Contact us!

Leave your details – we’ll call you back

Our specialist will get back to you no later than the next business day. You don’t have to fill in the message field, but a brief note about the topic you’re interested in will be a valuable hint for us.

Linkedin Facebook

Related posts