Credential stuffing uses stolen login credentials across multiple websites, using bots for mass log-in attempts.
Credential stuffing is a type of cyberattack where criminals use stolen usernames and passwords from one data breach to try to break into other accounts where people use the exact login details.
For example, an attacker might obtain login credentials from a breached online retailer and use those exact details to attempt access to a popular social media platform, hoping some users have reused their passwords.
This attack, known as a credential stuffing attack, differs from password spraying in that it tests many stolen credentials quickly, while password spraying tries common passwords across many accounts.
To prevent both credential stuffing and password spraying attacks, organizations should implement strong authentication methods like multi-factor authentication (MFA) and encourage regular password updates.
A typical credential stuffing attack generally follows these three steps:
Obtaining Leaked Credentials: Attackers gather usernames and passwords from data breaches, phishing, or dark web purchases.
Automated Testing: Bots rapidly test these credentials on multiple sites, rotating IP addresses to avoid detection and blocking.
Account Exploitation: Successful logins allow criminals to steal data, make unauthorized purchases, send phishing messages, or resell credentials.
Understanding these three steps is crucial for developing effective defenses and preventing credential stuffing attacks before they compromise your systems.
Credential stuffing and brute force attacks both try to break into accounts, but they work differently. Credential stuffing uses stolen usernames and passwords from other sites, while brute force tries many password guesses until one works.
Having a strong password can stop brute force attacks, but it won’t stop credential stuffing if your login details have been leaked elsewhere.
Password spraying is a type of brute force attack with a twist. Instead of guessing many passwords for one account, attackers try one common password like "123456" across many usernames. This avoids account lockouts from multiple failed attempts.
Attackers only get one chance per account, but if you use a simple or easy-to-guess password, that one try might be enough to break in.
The growing threat of credential stuffing is driven by its ease and effectiveness for cybercriminals. Several key factors contribute to the rise in these attacks:
Increasing Data Breaches: Vast amounts of stolen login credentials are exposed on the dark web, enabling large-scale credential stuffing attacks.
Password Reuse: Many users reuse passwords across multiple accounts, making them more vulnerable to attacks.
Advanced Automation Tools: Bots and scripts allow attackers to test millions of stolen credentials on targeted sites quickly.
Insufficient MFA Implementation: Despite MFA’s proven effectiveness, many organizations haven’t fully adopted it, leaving accounts at risk.
Harder Detection: Using real credentials from breaches makes these attacks more difficult to detect than traditional brute force attempts.
Several companies have suffered data breaches because of credential stuffing. Here are some recent examples:
Dunkin' Donuts: Participants of the Dunkin' Donuts loyalty program, DD Perks, found themselves victimized by credential stuffing attacks in 2018-2019. Hackers used stolen login credentials to find any DD Perks accounts that were using the same credentials. If successful, hackers subsequently sold them on the dark web. Buyers would use the credentials to gain access to coupons, points, and stored value.
Nintendo: In 2020, over 300,000 Nintendo accounts were hacked and some accounts were used to make fraudulent purchases. Personal information was also exposed including names, dates of birth, and email addresses. Nintendo believes the attack occurred because of credential stuffing, phishing, or brute force.
Zoom: The conferencing app was the face of many cybersecurity issues in 2020, including when more than 500,000 login credentials were put on sale on the dark web. Criminals found these login credentials by conducting a credential stuffing attack.
Credential stuffing is a serious issue plaguing organizations. While people have a personal responsibility to use different and strong passwords for their accounts, organizations should also take responsibility to enable security protocols to prevent criminals from validating or using stolen login credentials.
Preventing credential stuffing attacks requires a strong, multi-layered cybersecurity framework with stringent password practices. Solutions can include implementing these three password features:
Encourage a Strong Password Policy: Organizations can require users to create complicated passwords or change passwords regularly. This isn't easy to enforce since organizations can't monitor every password a person has created and ensure there is no duplication.
Enable Multi-Factor Authentication: Multi-factor authentication requires users to authenticate their identity twice. Once by having the correct login credentials and again with a second authentication factor, like sending a one-time passcode to the person's phone number. However, criminals can bypass MFA with legacy applications, and organizations may want to consider disabling legacy authentication.
Use a CAPTCHA: CAPTCHA requires users to prove they are human and not a robot by performing an action. This can help reduce the effectiveness of credential stuffing, but some criminals bypass this by using headless browsers. Organizations may want to block headless browsers as a security precaution.
Adding login security features can minimize the threat of credential stuffing, even if there are ways for criminals to evade these protocols. On top of preventing credential stuffing, organizations should stay on alert for compromised accounts and set up a security system that can detect potential problems.
Account takeover signals rarely hide in plain sight. Abnormal’s Account Takeover Protection correlates thousands of signals to stop credential stuffing outcomes in real time:
Flags logins from never-before-seen locations, devices, or IP addresses.
Monitors sudden changes like new mail-filter rules or external forwarding.
Detects unusual conversations involving sensitive or financial data.
Surfaces takeover indicators from vendors across the supply chain.
Abnormal automatically neutralizes takeovers and mitigates downstream email threats.
Credential stuffing attacks are not slowing down, but you can stay ahead. See how Abnormal blocks automated login abuse and protects both employees and customers from account takeover. Request a personalized demo today.
