Credential stuffing: What is it and how to prevent it

Credential stuffing is a term that you often hear. Here we give you the information you need to understand what credential stuffing is, answer your FAQs and share what you can do to protect your business from credential stuffing attacks.

What is credential stuffing & how does it work?

Credential stuffing is a ‘brute force attack’ that uses bots to automatically inject combinations of usernames and passwords collected from previously breached data files until they match an existing account. Credential stuffing occurs when your company or several companies fail to protect their data.

Attacks typically comprise of three elements:

  1. Attackers build a document containing your email address and various passwords
  2. A bot uses a brute force attack using combinations of all these email addresses and passwords
  3. When a bot finds a match to an existing account, the cybercriminal now has access to your data

Why do attackers use credential stuffing?

It is the most effective type of brute force attack and more successful than attacks that guess passwords based on ‘dictionaries’ of common password and password selection errors. Credit card fraud is the most popular motive, allowing criminals to make purchases from false accounts; hence, eCommerce businesses are usually the target/victim.

Credential stuffing allows cybercriminals to:

  • Gain access to accounts
  • Sell data to other criminals
  • Commit ID theft and fraud
  • Ransom the information in the account (extortion)
  • Damage a company’s or individual’s reputation.

Is credential stuffing illegal?

Yes – It is unlawful to attempt unauthorised acquisition of personal information that compromises the security, confidentiality, or integrity of personal information. Basically, it is illegal to have this information and illegal to use it. GDPR laws state how companies and individuals collect, store and use personal data.

How common is credential stuffing?

Billions of records are being stolen, making credential stuffing one of the most common techniques used to access online accounts.

The potential consequences of attacks

For companies:

  • Unsuccessful attack
    • Traffic spikes
    • Analytic anomalies
    • Server downtime
  • Successful attack
    • Reputational damage – the company loses business and partners
    • Financial damage – up to 4% of global annual turnover, if found in violation of the EU’s General Data Protection Regulation (GDPR).

For individuals:

  • Emotional/mental
    • Feelings of being violated, fear, and anxiety.
  • Financial
    • While some cybercriminals will only take a small amount regularly in the hopes that the lost money isn’t noticed, some attackers will take a devastating amount, preventing individuals from upholding commitments, getting them into debt, and causing a bad credit rating. Some attackers make purchases from credit cards knowing that the person can request a chargeback; however, this hurts the merchant. Learn more about chargeback management here.
    • There are further additional costs when considering the time it takes to investigate and resolve cases.

How to detect credential stuffing

You can spot credential stuffing by noticing continuously failed logins. The software can help detect this with a bot detection solution that provides a user attempts suit report.

How to prevent credential stuffing:

Four steps that will help you prevent credential stuffing include:

  1. Penetration testing to prevent data breaches as a company
  2. Using strong password security and password managers to protect yourself as an individual
  3. Companies introducing multi-factor / biometric authentication as an option
  4. Training workforce members to defend against automated e-commerce bot attacks

What to do if you have been a victim of credential stuffing

Companies should introduce and follow their Business Continuity (BC) and Disaster Recovery (DC) plan. Individuals should follow the advice outlined by the company. Alert the authorities.

Credential stuffing in the news

  • Dunkin’ Donuts was the victim of an account takeover attack. Cybercriminals used usernames and passwords from previous data breaches to access 1,200 customer DD Perks rewards accounts intending to sell access to the accounts and their reward points.
  • Disney+ streaming service was hit by disruption as vast volumes of previously stolen user names and passwords were tested and then put up for sale on dark web forums.

Contact us

Related Articles

The Importance of 2 Factor Authentication (2FA)

Authenticating access to any account, network, or application is a vital process. Traditionally this has been achieved with a username and password. However, passwords can be weak and offer poor cybersecurity, putting companies, customers, and data at severe risk.

Find Out More

Concerns about data harvesting

As a penetration tester, you know more about vulnerabilities, not just for companies but personally. You know how easy it is for cyber attackers to access and collect personal information, a process known as data harvesting.

Find Out More