An attacker sits at a laptop and attempts to login to another application using stolen login credentials.

What is Credential Stuffing?

Exploitation of compromised and stolen login data to gain access to other user accounts.

In the fast paced digital landscape, securing your online accounts becomes more and more essential. As part of the development, credential stuffing is a popular cyber threat and is based on individuals’ tendency to reuse passwords across multiple platforms. Attackers use this tactic to exploit stolen username or e-mail credentials and password combinations, gaining unauthorized access to personal accounts and in combination with it sensitive data. With cybersecurity attacks becoming increasingly sophisticated, it’s essential to understand how credential stuffing works and, more importantly, how you can protect yourself from this sinister risk. In this blog article, we’ll dive deeper into the mechanics of credential stuffing and prepare you with practical strategies to safeguard your accounts, ensuring that your digital life remains secure. Don’t let cybercriminals compromise your safety - equip yourself with the knowledge to stay one step ahead.

Understanding Credential Stuffing: What Is It?

Credential stuffing is a cyberattack in which previously leaked or illegally obtained login details (usually consisting of a username or e-mail address and password) are used. Attackers typically use information obtained during a data breach or data theft to log in to other, unrelated services, applications, portals, or websites. These attacks are not carried out manually and individually, but automatically and in large quantities (usually with many thousands or even millions of illegally obtained login details).

Such credential stuffing attacks are possible because, according to various studies, around two-thirds of users use the same login credentials for several services. One study showed that more than 81% of users reuse the same password two or more times and more than 25% of users use the same password for most of their customer accounts.

Even though the success rate of credential stuffing is low from a statistical point of view and, based on experience, only successful in 0.5-2.0% of cases, this tool is becoming a serious problem in the digital world due to its widespread use. This is particularly due to the use of botnet technologies, which hackers use to imitate legitimate login attempts. In a very short time, thousands of login details can be tested efficiently, usually without being detected by the victim or application operator. Even if an attacker only records 5-20,000 successful attacks when testing a million login details, the exploitation of the personal and financial information obtained is enough to cause serious damage. Once attackers gain access to one account, they can potentially infiltrate other accounts if the same credentials are used. This can lead to financial losses, identity theft, and a loss of privacy. For businesses, the consequences can be even more severe, including legal liabilities, financial penalties, and reputational damage.

The Rise of Credential Stuffing Attacks

Credential stuffing hacks have seen a steady increase in the last years, based on exponential growth of online services and the corresponding rise in data breaches. Cybercriminals are capitalizing on the vast amounts of stolen data (some lists with billions of user credentials) available on the dark web. This data is used to launch automated attacks on a wide range of platforms. The sheer volume of compromised credentials has made credential stuffing a preferred method for cybercriminals, as it offers a high return on investment with relatively low risk.

One of the key factors contributing to the increase of credential stuffing is the users’ prevalence of password reuse. Despite manifold warnings from cybersecurity researchers and the corresponding security blog articles, many users rely on the same password across multiple accounts. This practice plays directly into the hands of attackers, who rely on the likelihood that a single set of credentials will unlock multiple doors. The increasing feature set and quality of hacker tools has also made it easier for criminal attackers to perform credential stuffing attacks on a larger scale.

The impact of credential stuffing is not limited to individual users; businesses are also feeling the heat. Online services, particularly those in the financial and retail sectors, have become prime targets for these attacks. On a company level, the cost of credential stuffing attacks can be meaningful, including direct financial losses, increased security measures, and damage to customer trust. The rise of credential stuffing translates into the need for robust security practices and a proactive approach to protecting sensitive information.

How Credential Stuffing Works: A Technical Overview

Credential stuffing is based on a collection of compromised and stolen login details. These lists, which often contain millions of login details, are offered on separate marketplaces on the Internet or on the darknet and usually originate from previous data leaks or hacker attacks.

With the help of botnets and automated tools or scripts, the stolen access data is then used or tested simultaneously on several other websites to attempt logins, thereby increasing the probability of success.

The botnets can operate around the clock, testing thousands of combinations per minute. To avoid detection, the botnets often use techniques like IP rotation and CAPTCHA bypassing, making it difficult for security systems to differentiate between legitimate and malicious login attempts.

By successfully matching a username (or e-mail) and password, a credential stuffing attack yields the attacker access to the victim’s account. This leads to the loss of personal information, unauthorized transactions, or misuse of the account to launch further attacks. In some cases, attackers may sell compromised accounts to other cybercriminals, who use them for various malicious activities. The primary targets are bank websites, social media, and e-commerce platforms, where attackers expect to make the biggest profits.

Credential Stuffing vs. Brute-Force-Attack

Both attack methods involve an attacker gaining unauthorized access to user accounts. Only the approach differs significantly.

The attackers tries to guess the password in a brute force attack. Initially, they do not know any combinations of login details and try to succeed by trying out random parameters and characters, sometimes combined with common password suggestions. The attacker keeps trying until a combination works. The process is very time-consuming and can also be prevented quite easily by the user setting a strong password and by the application operator implementing technical measures such as a lockout function. Unfortunately, this lockout function is still far too rarely implemented in practice.

At its core, a credential stuffing attack is also a brute force attack, but at a very sophisticated level. The hacker uses combinations of usernames or e-mail addresses and passwords that are already known and used from other data breaches and tests them. Since users often use the same combinations of login details for different websites, this approach significantly increases the hacker’s chances of success and dramatically reduces the number of attempts required.

While a brute force attack quickly cracks accounts with short and easy-to-guess passwords, password strength is irrelevant in credential stuffing. However, once the data is known and reused as in credential stuffing, the actual password strength no longer matters and therefore offers no protection.

Credential Stuffing vs. Password Spraying

While stolen usernames and passwords combinations obtained from data breaches play the dominant role in credential stuffing to access multiple accounts across various platforms, password spraying takes a different route.

Attackers use one or two commonly used passwords against many usernames or e-mail addresses. This method is designed to avoid detection by limiting failed login attempts on individual accounts in case of Brute Force attacks, which can often trigger security measures. Even though the success rates for password spraying are to be generally lower than that of credential stuffing, it remains an important tool due to its broad approach.

Credential Stuffing and its Impact on Individuals and Businesses

For individuals, the impact of a credential stuffing attack can be severe. By accessing an account, attackers can steal sensitive information such as personal details, financial data, and private communications. This might lead to severe consequences such as identity theft, fraud, or selling on the dark web. Victims may find themselves dealing with unauthorized charges, damaged credit scores, and a lengthy process of reclaiming their financial identity. The emotional toll of such an invasion of privacy can also be significant, causing stress and anxiety.

Businesses are not either immune to the consequences of credential stuffing attacks. When cybercriminals successfully breach a company’s security, the fallout can be extensive. Fraudulent transactions often lead to financial losses and the cost of mitigating the attack is just the beginning. Companies may also face legal repercussions if they fail to protect customer data adequately, leading to fines and regulatory penalties. Moreover, reputational damage can result in a loss of customer trust, decreased sales, and long-term harm to the brand.

Common Signs That Your Account Has Been Compromised

A compromised account can often be detected by unusual activity that you did not initiate. This could include unauthorized transactions, changes to account settings, or unfamiliar devices accessing your account. If you receive notifications about login attempts from unknown locations or devices, it’s a warning sign that someone else is trying to access your online account without your permission. Pay close attention to any alerts or messages from your service providers, as they often include important information about suspicious activity.

Another common sign of a compromised account is its inability to log in. If your usual password no longer works, and you did not change it, it’s possible that a hacker has taken control of your account and changed your credentials. In such cases, you may also find that your recovery options, such as e-mail or phone number, have been changed. This makes it even more difficult to regain access and shows that the hacker is trying to lock you out.

Unexpected e-mails, especially those related to password resets or account changes, can also be a red flag. Cybercriminals often use these tactics to gain further access to your accounts or to trick you into revealing additional information. Be cautious of phishing e-mails that mimic legitimate communications from your service providers. If you receive an e-mail asking you to click on a link; take action or make sure that the request is legitimate before proceeding.

Best Practices for Protecting Your Account or How to prevent Credential Stuffing

One of the most effective ways to protect your accounts from credential stuffing is to use unique, strong passwords for each single online account. Hereby, a combination of letters, numbers, and special characters which is not easily guessable should be the basis for a strong password. Avoid using common words, phrases, or personal information such as the name of your dog, hero or kids, birthdays or trivial passwords such as “Password123”. Password managers can help you generate and store complex passwords, reducing the temptation to reuse them across multiple platforms.

Do not repeatedly use the same password for multiple accounts. This helps you protect, even if one set of credentials is compromised as all others remain secure.

Enabling account alerts can also help you stay informed about any unusual activity. Many online services offer notifications for login attempts, password changes, and other significant actions. These alerts can provide an early warning of potential security breaches, allowing you to take swift action to secure your account. Review your account settings to ensure that alerts are enabled and set to notify you promptly via e-mail or text message.

For additional protection, you should always use two-factor or multi-factor authentication (2FA or MFA).

It is even more complex for companies to respond to this threat, as the login attempt could just as easily come from a genuine user. By using botnets, attackers also spoof different IP addresses or different device types, making it difficult to differentiate it them from standard login traffic. As a company, you can only check whether there is an increase in the total volume of login attempts.

In addition, providing two-factor authentication or using CAPTCHAs during login can help distinguish users from botnets.

Tools and Services to Mitigate Credential Stuffing Risks

Several tools and services can help mitigate the risks associated with credential stuffing. Hereby, password managers can play an important role in creating and storing complex, unique passwords for each of your accounts. Some of these tools can also warn you about the use of weak or reused passwords and ask you to update them. The same applies to a good IAM solution, (e.g. from Engity) which also informs you if you try to login with a weak password.

For individuals and businesses alike, using breach detection services can provide early warnings of compromised credentials. Services like “Have I Been Pwned” allow you to check if your e-mail addresses or passwords have been exposed to data breaches. By regularly monitoring these services, you can take proactive steps to secure your accounts if your credentials are found in a breach.

Engity also offers you the beforementioned services of checking password strength as well as exposure to a data breach by starting to sign-up to Engity’s Demo application.

Web application firewalls (WAFs) are another potential tool for businesses looking to protect their online services. WAFs are able to detect and block malicious traffic such as automated credential stuffing attacks. By analyzing incoming traffic and filtering out suspicious activity, WAFs provide an additional layer of defense. Many WAF solutions also offer real-time monitoring and reporting, helping businesses stay informed about potential threats. Nevertheless, you should not trust WAFs alone and complement them with 2FA or passwordless authentication solutions like Passkeys.

What Should Victims to Credential Stuffing Do?

If you think that you have fallen victim to a credential stuffing hack, act immediately to secure your accounts. Start by changing the passwords for any affected accounts, ensuring that the new passwords are strong and unique. If you use the same password for multiple accounts, update them to unique and strong passwords to prevent further unauthorized access. Furthermore, turn on Two-Factor (2FA) or Multi-Factor Authentication (MFA) on all your accounts to increase your security level.

Furthermore, review your account activityto be able to act on any unauthorized transactions or changes. Contact the service providers for the affected accounts to report the suspicious activity and seek their assistance in securing your account. They may offer additional security measures or help you recover your account if you have been locked out. It’s also advisable to monitor your financial statements and credit reports for any signs of identity theft or fraud.

Conclusion: Always Staying Ahead of Cyber Threats

Credential stuffing is a growing cyber threat that exploits the common practice of reusing passwords across multiple accounts. By understanding how these attacks work and implementing robust security measures, you can protect yourself from becoming a victim. Use strong, unique passwords for each of your accounts, enable Multi-Factor Authentication (MFA), and stay informed about potential breaches through monitoring services.

For businesses, investing in advanced security tools like web application firewalls and breach detection services is crucial. Regularly updating security protocols and educating employees about the risks of credential stuffing can help mitigate the threat. The evolving nature of cyber threats requires a proactive approach, and always staying ahead is essential to safeguarding sensitive information.

In the further evolving digital age, the protection of our online presence combined with our access credentials for our online accounts has become more and more important.

By adopting best practices and leveraging the right tools, you can reduce the risk of credential stuffing and ensure that your digital life remains secure. Stay informed, protect yourself, and take the necessary action against the growing danger of cyber threats.