What Is a Credential Stuffing Attack and How Does It Work?

Credential stuffing is a cyber attack method in which attackers use lists of stolen account credentials (which typically consist of usernames/email addresses and the corresponding password) to gain unauthorised access to web application user accounts. The attackers use bots (software applications that are programmed to do specific tasks) to automate large-scale login requests using the compromised account credentials, on targeted web applications.

Once an attacker has gained access to an application using stolen credentials, they can then mimic legitimate user behaviour to steal sensitive personal or corporate information etc. Unlike other credential attacks, credential stuffing assumes users reuse usernames and passwords across multiple websites, making it a highly effective tactic. Only around 0.1% of breached credentials attempted on another service will result in a successful login.

The following process is performed during a large-scale credential stuffing attack:

1. Obtain a list of compromised usernames and passwords from previous data breaches. Often these lists are found on dark web forums as a product of a previous cyber attacks.
2. Set up a bot that is able to automatically log into multiple user accounts in parallel, while also faking different source IP addresses to prevent detection.
3. Run the automated process to check if a set of stolen credentials work on various websites and login portals. The process is run in parallel across multiple sites to allow for thousands of login attempts.
4. Monitor for successful logins, often without triggering security mechanisms that detect suspicious login attempts. Once unauthorised access is obtained, the attacker can potentially sign out the true user from all devices and take complete control of the account.
5. Retain the account information for future use.

The Consequences of Credential Stuffing Attacks

Credential stuffing attacks can have severe consequences for both individuals and organisations, for example, in December 2023, US restaurant chain, Jason’s Deli, warned its online customers that their personal data had been exposed in credential stuffing attacks. More than 340,00 customers were affected after attackers used credentials obtained from third-party sources to access Jason’s Deli reward and online accounts.

Credential stuffing attacks can have severe consequences for both individuals and organisations.

For Organisations:

• Financial Losses – Business face losses due to unauthorised transactions, fraud and the cost of remediating an attack such as expenses associated with investigating breaches and the implementation of enhanced security post breach.
• Reputational Damage – Any data breach (including those facilitated by credential stuffing) will damage an organisation’s reputation and reduce the trust of its customers and partners.
• Operational Disruption – An organisation may need to limit services while working to contain an event and mitigate the consequences of an attack, leading to operational disruption and loss of productivity.
• Regulatory Penalties – The compromise of user accounts may result in an investigation by a regulatory body to identify if the breach was due to a failure to protect user data. This could result in regulatory fines under data protection laws such as GDPR.
• Increased Costs – Businesses must invest in compliance measures and audits to meet regulatory requirements, adding to operational costs.

For Individuals:

• Fraud – Individuals face losses due to unauthorised transactions and fraud from affected accounts.
• Identity Theft – Credential stuffing can lead to the exposure of personally identifiable information, increasing the risk of identity theft.
• Service Disruption – The compromise of an application account might cause the temporary loss of access to the application, potentially disrupting their ability to use essential services.
• Damage to Reputation – Compromised accounts can be used to spread misinformation or malicious content, damaging an individual’s online reputation.
• Long-Term Risks – Once credentials and/or personal data is compromised, individuals face a long-term risk of repeated attacks and exploitation of their information.
• Impacted Credit Score – Financial losses due to a compromised account might cause detrimental long-term effects, such as damage to an individual’s credit scores which could lead to difficulties in obtaining loans or employment.

Preventing Credential Stuffing Attacks

Both organisations and individuals have a responsibility to ensure that they are not compromised by a credential stuffing attack and can take the following actions to protect themselves.

For Organisations:

• Encourage or require users to create strong, unique passwords that are difficult to guess or crack and require that user change their passwords periodically.
• Implement Multi-Factor Authentication (MFA) which adds an extra layer of security by requiring users to provide a second form of identification (such as a code sent to their phone) in addition to their password.
• Use CAPTCHA “Completely Automated Public Turing test to tell Computers and Humans Apart” or similar challenges to distinguish between human login attempts and automated bots, or implement systems which analyse user behaviour to detect actions indicative of bot activity.
• Limit the number of login attempts that can be made from a single IP address within a certain timeframe to prevent automated attacks.
• Regularly educate users about the risks of password reuse and the importance of maintaining good password hygiene.
• Implement services that check if users’ credentials have been exposed in known data breaches and prompt them to change compromised passwords.

For Individuals:

• Individuals should set a strong, unique password for each of their online accounts. To manage the numerous username/password combinations this practice generates, a password manager such as Dashlane or Sticky Password can be helpful. With a password manager, all you have to remember is a single master password.
• Use a website such as have i been pwned to search within the websites database for your email/username to see if it has been involved in a breach. Victims of a data breach can also subscribe to credit monitoring and identity theft protection services which will notify them of any suspicious activity.
• Use two factor authentication (2FA) on all website applications that offer the functionality. 2FA requires the entry of a further token such as an Authenticator Application token alongside the username and password.

Credential stuffing attacks are a growing threat both individuals and organisations. By understanding how these attacks work and taking proactive measures, you can reduce the risk of falling victim.

If you’ve experienced a data breach or suspect unauthorised access to your accounts, the team at 3B Data Security can help. We help identify vulnerabilities, address risks, and improve your security defences. Our senior consultants will work with you to minimise the damage and reduce the likelihood of future attacks.