What Is Credential Stuffing?

There are several types of cybercrime, and credential stuffing is one of them. But what is credential stuffing? Cybercriminals use a massive list of stolen credentials that compromises usernames and passwords from one organization to gain unauthorized access to their systems and applications. Credential stuffing uses malicious bots and the same username and password for multiple services.

When a database breach exposes these credentials, the sites allow access to cyber attackers. According to an online security survey by Google, 65% of people reuse the same passcodes on numerous (and sometimes all) accounts. Credential stuffing threats are one of the most likely reasons for data breaches. Roughly half of all login queries enterprises receive are based on credential stuffing.

As more credentials are subjected to breaches, the chances for cybercriminals to use credential stuffing grows. At the moment, millions and millions of credential theft are making the rounds on the dark web. This article discusses what is credential stuffing, credential stuffing attacks, the reasons behind their increase, how to prevent them, and more.

Credential Stuffing Attack—Primary Reasons Behind Its Significant Rise

There are multiple reasons why credential stuffing attack is increasing day by day. Let us go through some of them:

  • Challenges In Detecting An Attack

Threat actors might imitate an authentic user like an employee, contractor, or even a third-party supplier in an effective credential-stuffing attack. This, combined with the lack of malware or other attack vectors, makes detecting a stuffing attack via conventional cybersecurity defenses extremely difficult.

  • The Great Shift To Remote Working

The COVID-19 pandemic hastened the trend of remote workers, leaving many businesses unready to protect a decentralized system. Attackers have taken advantage of this shift and are attempting to enhance vulnerabilities of devices and services using login details from individual accounts.

  • The Availability Of Credentials

In past years, cybercriminals gained access to a huge number of credentials. Users’ obtained usernames and passwords are sold to other hackers on the websites. These sales can be accepted as an opening move for a brute force attack and other hacker attacks.

  • Low Technical Competence To Attack

The degree of technical skill and cost required to perform a credential stuffing invasion are both extremely low. Anyone with a computer can purchase a compromised account on the dark web for as little as USD 50 and initiate a credential-stuffing attack.

  • The Latest Generation Of Advanced Technology

Credential stuffing attacks use credential stuffing bots or other intelligent technology tools to log into multiple accounts in a short amount of time. The tool only attempts to log in to the software once since these bots are coded to test a specific user ID and password.

This enables the tool to circumvent many conventional security measures, such as preventing IP addresses with many failed logins.

How Credential Stuffing Attacks Work

An attacker uses a typical process in a credential stuffing attack, following all the steps involved:

  1. The attacker or criminal adds the credentials to a bot that can log in to several user accounts with fake IP addresses.
  2. If the login is successful, the attacker knows that they have a valid set of credentials.
  3. Now the attackers have access to the user’s account.
  4. The attacker obtains personally identifiable information, credit card details, private pictures, social security numbers, and addresses.
  5. Attackers can also use the account for spamming.
  6. They also sell known-valid credentials to multiple sites for other attackers to use.

Credential Stuffing Vs. Brute Force Attacks

Although credential stuffing and brute force are quite similar, there are some key differences. Let’s explore these:

  • By combining common passwords and phrases and using random combinations of numbers and alphabets, people making brute force attacks attempt to figure out login credentials without context.
  • The attacker or the criminal succeeds when users choose easy and guessable passwords.
  • The latter lacks much context and data from previous data breaches; hence the login success rate is lower.
  • In the modern era, brute force attacks usually fail compared to credential stuffing.
  • Credential stuffing involves sharing the user’s strong password with many other services, which can lead to a compromise when the user follows the recommendation of the system.

Methods Companies Use For Credential Stuffing Prevention

Many users reuse passwords despite knowing that it is unsafe and that their account information can easily get leaked. Since users find it difficult to remember 50-100 passwords, they can use password managers, but their usage rates are very low.

An organization must take measures to prevent credential stuffing. Here are some methods to prevent credential-stuffing attacks:

Method 1: Multi-Factor Authentication (MFA)

MFA is the most effective way to prevent credential stuffing. According to a study, it saves 99.9% of the private information of a user’s account. Multi-factor authentication requires the user to log in with another type of authentication rather than a username and user password, as malicious bots cannot provide physical authentication.

It could include biometric authentication, such as a fingerprint. The adoption rate of MFA is very low due to concerns about its impact on customer experience.

Method 2: Use Of CAPTCHA

CAPTCHA requires users to prove that they are humans. This method can reduce the chances of a brute force attack and credential stuffing attacks. But cybercriminals can easily bypass CAPTCHA by the use of headless browsers. Like MFA, CAPTCHA can also be combined with other login attempt methods.

However, CAPTCHAs do not offer high security because, in many cases, several tools exist that can be used to break them, and their success rate is also very high.

Method 3: IP Block-Listing

Cyber Attackers have limited access to IP addresses that can be block-listed after false login attempts, and the block-listed IPs attempt to get login into different accounts or systems. The failed IPs can be tracked to get separate per-user failures and protected against brute-force attacks.

Note the last IP which successfully logged into different accounts and add it to the block list. Then take action like locking the account and notifying the user that their account has been compromised.

Method 4: Device Fingerprinting

Using a user agent like JavaScript can easily gain data from user devices. It includes screen resolution, installed fonts, and installed browser plugins. The fingerprint combines parameters like browser, operating system, time zone, and language.

If the same combination of those parameters is logged in many times in one way, it is brute force attacks or credential stuffing attacks. People who use strong user passwords containing different parameter combinations can get measures like banning IPs.

You can use two or three combinations of parameters and access measures like a temporary ban to capture more attacks. It is an effective way to prevent user accounts from credential stuffing and brute-force attacks.

Method 5: Disallow Email Addresses As A User ID

Credential stuffing attacks usually depend on the reuse of usernames and passwords. Many users use the same email ID and password for different services.

This makes it easy for cybercriminals to access your account for credential stuffing. Users must generate unique passwords and usernames for services to make it difficult for cybercriminals to access their data.

This has a low risk of getting predicted. Still, legitimate users must be careful that the suggested username and password should not be easily predicted and not use the same password or username on every account.

Method 6: Block Headless Browser 

Attackers rely on JavaScript calls that are proficient in identifying headless browsers, which include PhantomJS. Access to headless browsers should be restricted as they are not genuine users and are an indicator of suspicious behavior.

Credential Stuffing Attacks: Some Case Studies

Dunkin’ Donuts

Dunkin’ Donuts was twice the victim of a credential stuffing attack in November 2018 and January 2019, exposing private data such as account numbers, email addresses, and phone numbers.

As in the first case, hackers used compromised credentials obtained from multiple sites to gain access to Dunkin’ Donuts’ Perks rewards profiles. It allowed repeat customers to accumulate points and redeem them for free beverages or discounts on other products by the company.


Thousands of customers reported unapproved login information and failed login attempts to their Nintendo accounts in March 2020, resulting in compromised accounts storing important data such as names or email addresses.

According to Nintendo, those credentials were obtained through phishing or credential stuffing. Since any corporate data is extremely crucial, you must devise some secure infrastructure strategy to ensure the safety of your accounts.


In credential stuffing attacks, cybercriminals use users’ stolen credentials like user IDs and passwords and gain access to their personal information like their credit card details, home address, personal number, etc.

Like any other cyberattack, credential stuffing threatens enterprises and individuals. Hence, taking the preventive steps mentioned above is necessary to keep your business and virtual presence safe and secure from credential surfing attacks.

Derik Belair

As President and CEO, Derik leads the vision, strategy and growth of Augmentt. Prior to founding Augmentt, Derik was the Vice President at SolarWinds, leading the digital marketing strategy for SolarWinds’ Cloud division. Derik has been working in the channel for over 20 years, starting his career as a channel sales rep at Corel Corp. and eventually becoming the first employee at N-able Technologies in April of 2000.
SUBSCRIBE for more resources
Related Content

Agent-based SaaS Discovery

    When it comes to Augmentt Discover, we believe in flexibility and power. Augmentt Discover can collect SaaS usage data using both an Agent and Agentless model. Here is a quick [...]

    Product Evaluation Guide

      Thank you for starting your Augmentt Product Evaluation and Trial   Here are a few resources that will help you through this technical process. Support Technical Support is available to [...]
      Augmentt is a centralized SaaS security platform built for MSPs to deliver scalable managed security services for Microsoft and cloud apps. Our multi-tenant platform gives you visibility across all your end-users to easily audit, protect and detect security threats for a holistic approach to cyber security.