Credential Stuffing


Old-fashioned, but very effective, credential stuffing that leads to online account takeover and compromised user information are a result of basic human nature. We are all a little lazy at times, and sadly, this laziness is what enables credential stuffing attacks to be so successful. Credential stuffing is not new but still remains an effective cyber attack technique resulting from individuals reusing their username/password combinations on many, if not all, of their online accounts. This leads to both large and small amounts of data leakage and asset theft and ultimately resulted in more than $4 billion dollars of online fraud in 2017.

What is“credential stuffing?”
“Credential stuffing” is accomplished when hackers fraudulently gain access to user accounts by testing large numbers of username/password combinations with automated test methods or Bots. The types of tools used range from simple python scripts or web injection techniques to sophisticated dark web automated bot tools that can be purchased for specific sites or market sectors.

These online credential stuffing tools leverage users common habit of reusing the same username and password for multiple online accounts. It is relatively easy for hackers to obtain username/password combinations by simply purchasing them on the dark web or running sophisticated phishing scams to obtain these credentials. Once the credentials are obtained they can then be tested on multiple targeted websites until an account is unlocked. Once access to the account is successful, the attacker can use the hijacked accounts for their own purpose which usually includes the theft of personal data like name, address, social security number, credit card info and bank account numbers.

According to a recent survey conducted at the Infosecurity Conference 2018 in London, 45 percent of participating security professionals unexpectedly reused passwords. This trend is clearly worse with average unsophisticated web users. If you also consider that the average web user has more than 200 online accounts, the breach of just one set of account credentials can lead to multiple online accounts being compromised.

In June of 2018 hackers posted more than 1.4 billion leaked username/password pairs on the Internet ( in a single file and have provided pipelines that can accept Bitcoin to purchase complete user information databases. In fact, the amount of leaked credentials in 2017 alone is as high as 7.8 billion username/password pairs. This data along with readily available low cost tools is providing significant ammunition for massive credential stuffing attacks.

Business interruption caused by information leakage
One of the biggest impacts of credential stuffing on the enterprise is the leakage of personal data. Personal health care accounts that have been hacked are being sold on the dark web for as much as $50 per account so there is a very large demand from criminals. With the implementation of regulations such as the Personal Information Protection Act and GDPR, the enterprise is required to protect user data more carefully and to notify when breaches occur. The platforms with large number of users, such as e-commerce and online banking, are at greater risk since reporting of a known breach is required by law. Large fines and a damaged corporate reputation is just the tip of the iceberg. Customer loyalty and damage to valuable brands can severely impact online revenue which is an increasingly important component of most enterprise companies.

The reuse of usernames and passwords is a very human fault since most people have a hard time remembering multiple login credentials. To help reduce account takeover, other forms of user authentication have become more popular and the use of multi-factor authentication (MFA) or two-stage verification has been shown to greatly reduce the risk of account takeover. However, the addition of MFA places an additional burden on the user during login and negatively affects the user experience. This negative online experience can lower the number of online website visits which in turn impacts revenue since users find it difficult to make online purchases through their accounts.

The best way to prevent credential stuffing
Traditional passive security mechanisms are not enough to effectively overcome the major challenges of credential stuffing attacks. Only innovative proactive defensive security solutions can effectively block credential stuffing and other types of automated bot attacks. ForceShield provides a‘zero day’ dynamic defense against legacy and new credential stuffing attacks as well as other types of automated cyber attacks resulting in online fraud. The ForceShield solution deflects credential stuffing attacks without the use of MFA techniques so that the user experience is not degraded so brand loyalty and online revenues remain high.

By continuing to use the site, you agree to the use of cookies. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.