What Is Credential Stuffing and How to Prevent It

The sad truth is that more than 343 billion credentials were leaked last year via malware alone.

That’s 343 billion credentials that attackers will try to login with on other applications to see where they work.

Credential stuffing has become a serious threat to organizations due to how common password reuse is among employees.

Credential stuffing leads to initial access which leads to a full-scale data breach.

In this post, we’ll cover the mechanics of credential stuffing, some real-world examples, as well as the most effective solutions to preventing these attacks.

What Is credential stuffing?

Credential stuffing is a type of cyberattack where malicious users leverage automated tools to try to gain unauthorized access to user accounts.

This is typically done by using large sets of stolen usernames and passwords (credentials) obtained from previous data breaches.

The attack is based on the premise that many people reuse their passwords across multiple sites.

The primary objective for attackers is to use these stolen credentials to gain unauthorized access to other applications that use the same username and password.

What is an example of credential stuffing?

A classic example of credential stuffing is when a username and password were stolen in a data breach from a shopping site.

The hacker might try to use the same login credentials to access the victim’s accounts on social media, banking websites, or email, hoping they reused the same password.

How credential stuffing Works

Here’s how credential stuffing attacks typically work:

1. Obtain Stolen Credentials: Attackers acquire lists of usernames and passwords from previous data breaches, stealer logs, and combo lists. These lists are often traded or sold on dark web forums.
2. Automated Attacks: Using headless browsers, attackers attempt to log in to various websites with the stolen user credentials. This process is usually done with automated tools at a high speed and on a large scale, often using a botnet.
3. Success and Exploitation: If the login attempt is successful, the attacker gains unauthorized access to the user’s account. They can then sell the access or exploit this for various malicious purposes. Attackers often exploit these accounts for identity theft, to steal corporate information, or to make fraudulent purchases.

Is credential stuffing a DDoS attack?

No, credential stuffing is not a Distributed Denial of Service (DDoS) attack. While both involve sending a lot of requests to a website or service, they have different goals.

• Credential stuffing is when attackers use lists of stolen usernames and passwords to try logging into multiple websites or services, hoping that people reused the same login details across different accounts. The goal is to break into accounts.
• DDoS attacks, on the other hand, are designed to overwhelm a website or service with so much traffic that it crashes or becomes unavailable to users. The goal here is to disrupt the service, not steal credentials.

In other words, credential stuffing is about account takeover, while DDoS is about shutting down a service.

What is the difference between credential stuffing and brute force attacks?

Credential stuffing is a type of brute force attack.

In credential stuffing attacks, attackers use a list of stolen usernames and passwords from past data breaches to try and log in to various accounts.

They hope that people reused the same password across multiple sites.

In brute force attacks, attackers try different combinations of usernames and passwords over and over until they guess the correct one.

This can be done by trying random combinations or by using common passwords.

In other words, credential stuffing uses already known passwords, while brute force attacks involve guessing until they find the right one.

Real-world examples of credential stuffing attacks

Credential Stuffing attacks are very common, and even well-known brands have been exploited. Here are some real-world examples:

1. Jason’s Deli (2023): The US restaurant chain warned its online customers that their personal data had been exposed in a credential stuffing attack. More than 340,000 customers were affected, with compromised data including names, addresses, telephone numbers, birthdays, and truncated credit card numbers​.
2. 23andMe (2023): A threat actor accessed approximately 14,000 23andMe user accounts using stolen login credentials from other sites. The attacker then collected personal data from millions of people, including genetic ancestry details, which were sold online.
3. Dunkin’ Donuts (2019): Dunkin' Donuts announced that 1,200 of their 10 million DD Perks rewards accounts were compromised due to credential stuffing attacks. The attackers used credentials from previous data breaches to gain access to the accounts, which contained personal information and rewards points.
4. Disney+ (2019): Shortly after the launch of the Disney+ streaming service, customers faced disruptions as their account credentials were put up for sale on dark web forums. The attackers used stolen usernames and passwords to identify valid credentials on the Disney+ site.
5. Superdrug (2018): The UK cosmetics retailer was contacted by hackers claiming to have account data for 20,000 customers. The preliminary investigation suggested that the credentials were acquired through credential stuffing rather than a data breach.
6. Uber (2016): An attacker gained access to Uber’s data storage through credential stuffing, using an employee’s previously exposed credentials to access their GitHub account and then the Amazon Web Service S3 buckets where Uber’s data was stored. This breach affected 57 million users.
7. HSBC (2018): HSBC notified some of its customers of a data breach where attackers stole personal and account information. The breach, which affected less than one percent of the bank’s 1.4 million customers in the US, was attributed to credential stuffing.
8. Reddit (2019): Reddit locked users out of their accounts after suspecting credential stuffing attacks. The security team noticed unusual activity from a large group of accounts and forced users to reset their passwords before restoring access​.

How to detect credential stuffing

From a defensive standpoint, detecting credential stuffing attacks is crucial to prevent data breaches. Here are some effective strategies and tools that organizations should consider implementing:

1. Monitor Login Activity

• Anomalous Login Patterns: Look for unusual patterns such as a high number of login attempts in a short period or from a single IP address.
• Geolocation Anomalies: Monitor for logins from unexpected geolocations or IP addresses that differ significantly from the user’s typical location.

2. Rate Limiting

• Throttle Login Attempts: Implement rate limiting to restrict the number of login attempts from a single IP address within a certain timeframe. This can slow down automated attacks and make them less effective.

3. IP Reputation Services

• Blacklist Suspicious IPs: Use IP reputation services to block or flag IP addresses known for malicious activity or associated with previous attacks.

4. Multi-Factor Authentication (MFA) Alerts

• Detect MFA Bypass Attempts: Set up alerts for any suspicious MFA activities, such as multiple failed attempts or bypass attempts, which might indicate a credential stuffing attack.

5. Behavioral Analysis

• Monitor User Behavior: Implement tools that analyze user behavior to detect anomalies. Sudden changes in user behavior, such as accessing different parts of the application or data, can indicate compromised accounts.

6. Use of Honeypots

• Set Traps for Attackers: Deploy honeypots as decoy accounts that appear real to attackers but allow you to monitor for and detect automated login attempts.

7. Security Information and Event Management (SIEM) Systems

• Aggregate and Analyze Logs: Use SIEM systems to aggregate and analyze security logs from across your network. Look for patterns and anomalies that may indicate credential stuffing.

8. Dark Web Monitoring

• Check for Compromised Credentials: Regularly monitor employee and customer accounts using a dark web monitoring service to detect potentially vulnerable accounts.

How to prevent credential stuffing

The following techniques can help prevent credential stuffing attacks. No single technique is a silver bullet, so combining them is highly recommended:

Use A Password Manager

Mandate the use of a password manager to help employees generate, store, and manage unique, strong passwords for each of their accounts. This can simplify the process of maintaining unique passwords and reduce the likelihood of password reuse across multiple sites.

Implement Multi-Factor Authentication (MFA)

MFA adds an extra layer of security by requiring users to provide additional verification beyond just a password, such as a code sent to their mobile device.

Educate Users

Provide training and awareness programs to educate users about the risks of credential stuffing, the importance of using unique passwords, and the need to enable MFA.

Use CAPTCHAs

Implement CAPTCHAs on login pages to differentiate between human users and automated bots, making it more difficult for attackers to execute credential stuffing attacks.

How Breachsense can help

According to the Verizon Data Breach Investigations Report, 86% of data breaches involved the use of stolen credentials. They’re the easiest way for malicious users to bypass detection and gain access to their target network.

Breachsense is a dark web monitoring solution that can alert you in real-time when your employees’, customers’, or third-party vendors’ compromised accounts appear on the dark web. This enables your security team to mitigate the risk and reset the stolen credentials before hackers can exploit them.

Breachsense provides flexible integration with virtually any application, SIEM, or browser, making it easy for businesses to implement the service into their existing security toolset.

If you need visibility into your organization’s leaked credentials leaked data, book a demo to see how Breachsense can help.