Credential stuffing is a cyberattack in which stolen usernames and passwords, often exposed via data breaches, are used en masse to gain unauthorized access to user accounts on other platforms.
If a cybercriminal obtains someone’s login information from one compromised website, they can attempt to use it on other websites where the person may have accounts, potentially hijacking their email, bank accounts, social media profiles and more.
Let’s start with an analogy. Imagine a robber gets his hands on a giant keychain that contains hundreds of keys. He walks down a street, trying each key on every car door he encounters. Sooner or later, statistically speaking, he'll find a car that one of his keys unlocks. Credential stuffing works in a similar way, but instead of physical keys and car doors, it uses stolen login credentials and online accounts.
Here’s a step-by-step breakdown of a typical credential stuffing attack:
Credential stuffing and password spraying both exploit weak password practices and password fatigue, but they differ in their approach. Let’s explore these differences
In credential stuffing, cybercriminals use automated tools to inject compromised credentials into online services. Password spraying, on the other hand, uses a limited set of commonly used passwords against a large list of user accounts.
The goal of credential stuffing is to take advantage of password reuse and compromise as many accounts as possible, whereas the aim of password spraying is to identify accounts with weak or easily guessable passwords.
Credential stuffing attacks typically have a higher success rate if the hacker uses a large and recent database of stolen credentials. Conversely, the success rate of password spraying depends on the weakness of the passwords chosen by the users of the targeted platforms.
As with every cyber threat, prevention is a more effective approach than scrambling for a cure after the fact. Here are some steps you can take to harden your infrastructure against credential stuffing and similar attacks:
Implement these security controls:
Now, let's look at some real-life cyberattacks that were carried out through credential stuffing:
In 2019, Starling Bank was the victim of a credential stuffing attack. Malicious actors bombarded the bank's login system with stolen usernames and passwords. Even though the success rate remained a relatively low 0.23%, the incident led to severe financial losses for the bank.
In 2019, food delivery service Deliveroo suffered a credential stuffing attack. Attackers compromised customer accounts, which were then sold for just $6 each on the dark web.
In 2023, a credential stuffing attack compromised roughly 14,000 user accounts on the genetic testing platform, 23andMe.
Credential stuffing is a dangerous cyberattack that can affect any organization. This technique relies on the fact that many people reuse the same login credentials across multiple accounts, a risky habit that creates a single point of failure for their online security.
To detect, mitigate and prevent credential stuffing, it’s important to understand how it works, enforce the aforementioned security controls, educate users about password hygiene and security best practices, implement regular monitoring mechanisms and stay vigilant for data breaches.