It is very difficult to remember strong and secure passwords, which is why many users reuse the same password over and over again. Hackers exploit this fact. There is a relatively high chance that a user will use the same password for their online bank account as they do for their online shop or social media account. Credential stuffing involves collecting stolen access data and using it to attempt to log in to other, usually related, services.
Credential stuffing usually begins with a data breach and the theft of login data. This data then often end up first on the darknet or on special file-sharing networks on the internet and then in the hands of hackers.
They first check which online service the data came from in order to prepare the subsequent attack. The purpose of this is to narrow down the list of possible websites to those where there is the greatest chance of successfully logging in with the stolen access data.
Once the preselection has been made, the attacker begins entering the login data available from the data breach into the registration forms. The attacker bypasses possible security mechanisms by using bots to simulate different IP addresses, automated tools, and scripts.
Although the success rate of credential stuffing is very low, at less than 0.5%, the volume of leaked login credentials and advances in IT mean that this form of password hacking is still worthwhile for many attackers.