What Is Credential Stuffing? How It Happens and How To Prevent It

Credential stuffing uses stolen login credentials and across multiple websites, using bots for mass log-in attempts.

Credential stuffing is a type of cyberattack where criminals use leaked or stolen login credentials to compromise other accounts that use the same username and passwords. It's one of the most common techniques used to take over accounts.

In May 2021, our research found that takeover attempts using strategies like credential stuffing increased by 138%. While the success rate of credential stuffing is usually pretty low, attempts scale enough that it can cause a huge impact on organizations.

What is a Credential Stuffing Attack?

The ultimate goal of credential stuffing is to find different accounts that have the same login credentials. Criminals use login credentials found in a data leak or stolen in a data breach and use them to log into several websites to attempt to gain access to multiple accounts. They usually use bots for widespread log-in attempts with stolen credentials.

A robust cybersecurity plan includes a strong password policy: multifactor authentication and frequent password changes, for example. This ensures that a credential stuffing attack is unsuccessful if the criminal only has access to old passwords. But a strong password policy isn't always enforced, and it doesn't always work.

After all, people frequently choose to use the same password so they won't forget it. In the event of a password leak, even a complicated password could turn into a liability if it's used across multiple accounts.

How Does Credential Stuffing Work?

The first step of a credential stuffing attack is to obtain leaked login credentials. A criminal can find credentials from a data breach, phishing attack, or buying stolen data on the dark web.

Once a criminal gets authentic login credentials, they use automated tools like bots to test the login credentials against many websites like social media apps, eCommerce websites, and more. Sophisticated bots will also appear to originate from different IP addresses, which could prevent a security measure like banning IP addresses with too many failed logins.

If the login is successful, the criminal can then search the account for sensitive data like credit card information. They may also make purchases, send phishing messages to other accounts, or sell the login credentials for another hacker to use.

Credential Stuffing vs. Brute Force Attacks

Credential stuffing is considered a form of a brute force attack, but they have different strategies on how to compromise an account. Credential stuffing uses known login credentials across different sites. Brute force essentially guesses the password by systematically entering passwords until one is correct. A strong password may prevent a brute force strategy, but it won't stop credential stuffing.

Credential Stuffing vs. Password Spraying

Password spraying is another type of brute force but with a twist. Instead of guessing the password, the criminal will choose one common password (like "123456") and use it against multiple usernames. While this sidesteps the issue of account lockouts due to too many failed attempts, it only gives a criminal one chance to make a successful login attempt. But that may be all they need if you use a simple, easy to guess password.

What Are Examples of a Credential Stuffing Attack?

Several companies have suffered data breaches because of credential stuffing. Here are some recent examples:

  • Dunkin' Donuts: Participants of the Dunkin' Donuts loyalty program, DD Perks, found themselves victimized by credential stuffing attacks in 2018-2019. Hackers used stolen login credentials to find any DD Perks accounts that were using the same credentials. If successful, hackers subsequently sold them on the dark web. Buyers would use the credentials to gain access to coupons, points, and stored value.

  • Nintendo: In 2020, over 300,000 Nintendo accounts were hacked and some accounts were used to make fraudulent purchases. Personal information was also exposed including names, dates of birth, and email addresses. Nintendo believes the attack occurred because of credential stuffing, phishing, or brute force.

  • Zoom: The conferencing app was the face of many cybersecurity issues in 2020, including when more than 500,000 login credentials were put on sale on the dark web. Criminals found these login credentials by conducting a credential stuffing attack.

Credential stuffing is a serious issue plaguing organizations. While people have a personal responsibility to use different and strong passwords for their accounts, organizations should also take responsibility to enable security protocols to prevent criminals from validating or using stolen login credentials.

Credential Stuffing Solutions

Preventing credential stuffing attacks requires a strong, multi-layered cybersecurity framework with stringent password practices. Solutions can include implementing these three password features:

  • Encourage a strong password policy: Organizations can require users to create complicated passwords or change passwords regularly. This isn't easy to enforce since organizations can't monitor every password a person has created and ensure there is no duplication.

  • Enable multi-factor authentication: Multi-factor authentication (MFA) requires the user to authenticate their identity twice. Once by having the correct login credentials and again with a second authentication factor like sending a one-time passcode to the person's email address, phone number, or an authentication app. However, our research shows that criminals can bypass MFA with legacy applications. Organizations may also want to consider disabling legacy authentication for extra security.

  • Use a CAPTCHA: CAPTCHA requires users to prove they are human and not a robot by performing an action. This can help reduce the effectiveness of credential stuffing, but some criminals bypass this by using headless browsers. Organizations may want to block headless browsers as a security precaution.

Adding login security features can minimize the threat of credential stuffing even if there are ways for criminals to evade these protocols. On top of preventing credential stuffing, organizations should stay on alert for compromised accounts and set up a security system that can detect potential problems.

How to Detect Compromised Accounts

Identifying suspicious behavior on email accounts is crucial to recognizing a cyberattack and responding appropriately. Account takeovers are a real threat to organizations, and strong email security is crucial to noticing behavior that indicates a compromised account.

Abnormal Security has Account Takeover Protection and automatically correlates thousands of signals to spot and block suspicious email activity. Unlike traditional secure email gateways, detects anomalies in emails by:

  • Noticing when a sender's email is accessed by a never-before-seen location, device, browsers, or IP address.

  • Monitoring unusual user behaviors like altering mail filter rules or forwarding to external email addresses.

  • Detecting unusual interdepartmental correspondence, especially with financial information.

  • Recognizing signals of account takeover from external vendors in an organization's supply chain.

Abnormal Security can disarm takeovers automatically and mitigate email security threats. If you're ready to improve your email security, try a demo and learn how we can protect your organization.

Get the Latest Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo