Credential stuffing: Everything you need to know to avoid being a victim

Cyberattacks have soared to an all-time high as organizations of all sizes and individuals fall victim to a wide array of malware, spam, ransomware attacks, phishing campaigns, and other hacks. We often also come across several online accounts that are being hacked on digital platforms even though the companies state that their systems have not been compromised. How can this happen? It is because of a growing hacker technique called credential stuffing.

What is credential stuffing?

Credential stuffing is a straightforward strategy in which hackers collect a set of usernames and passwords from corporate breaches and try to stuff those usernames and passwords in several other digital media platforms. In this, attackers exploit the fact that many users have the same passwords for several digital platforms or sites. Billions of credentials have been stolen in recent years. These credentials are now fueling the hackers to exploit user’s personal information and subscriptions illegally using credential stuffing.


Because most of us do not change passwords regularly — even after a data breach — cybercriminals can use credential stuffing for almost everything including spamming, phishing, and account takeovers, which can lead to ransomware being installed on your system. Credential stuffing has become one of the most common means for hackers to exploit and abuse stolen usernames and passwords.

How is credential stuffing different from brute-force attacks?

While credential stuffing itself is a specialized type of brute-force attack, it is much more effective. In brute-force, hackers try to guess the passwords using the “dictionaries” of common username and password combinations. As a result, the chance of success is lower. In credential stuffing, hackers already have valid user details obtained from a data breach. And they use these stolen credentials to access several other different sites, so credential stuffing is much more effective and harmful than typical brute-force attacks.

How does it work?

Attackers use botnets and automated scripts to perform credential stuffing. These bots are then paired with proxies that distribute these botnet attacks across different IP addresses, making them look genuine. Attackers also make and design these botnets to mimic authentic users such as setting them up with delayed inputs and responses.


All of these methods and techniques make it difficult for traditional security prevention systems to detect these bots. Credential stuffing works more effectively on high-traffic websites where a sudden increase in user logins is usually considered normal.

The magnitude of credential stuffing

So, how big is the credential stuffing problem? HaveIBeenPwned is the largest free data breach notification service. The website has tracked over 8.5 billion compromised user accounts and credentials from over 410 different data breaches.

Akamai, one of the leading content delivery networks, observed a massive 61 billion credential stuffing attacks in just 18 months between January 2018 and June 2019. Akamai’s researchers also said that these attacks will grow even more significant due to low-cost tools available for hackers that can evade the traditional intrusion detection systems. Akamai explained that cybercriminals have crafted several applications that streamline and automate credential stuffing, making it possible even for low-skill cybercriminals to launch these attacks.

Staying safe: Users

As an end-user, we can never guarantee the security of our data in any of the service or company we store or use them. Therefore, the best way and the most straightforward approach for an end-user to protect themselves from credential stuffing is to use unique passwords on each account. While this might sound to be a complex process to adapt and manage, it is sure to safeguard your personal information from credential stuffing.

There are several password-managing tools and services available online that can be used to safeguard passwords. Most also have other security features such as two-factor or multifactor authentication and biometric locks.

It is also very important to change passwords at regular intervals. Do not stick to the password for more than a certain number of months if not weeks. It is because of these credential stuffing and other brute-force attacks that many online services are making it mandatory for users to change passwords regularly.

Staying safe: Companies

For companies, however, it is a much more complex story. Companies need to adopt strong security mechanisms to avoid data breaches. A company needs to enforce a policy that its users provide unique passwords and also change them on a timely basis. Companies can also provide added login security mechanisms such as captchas, two-factor or multifactor authentication, and password encryption. Companies can also use security methods such as device fingerprinting, IP blacklisting, and blocking headless browsers.

However, the strongest and most effective solution to prevent credential stuffing is to employ a bot management service. Bot management services can detect and prevent malicious bots from making login attempts into the services without impacting actual user logins. Companies need to deploy strong web application firewall systems and even a slight increase in the login failure rate must be thoroughly examined to prevent such attacks.

Featured image: Shutterstock

Sukesh Mudrakola

Sukesh is a computer science graduate by profession and an IT enterprise and tech enthusiast by passion. Throughout his professional career, he has filled various roles such as Developer, Analyst, and Consultant. He holds an expertise in mobile and wearable technologies and is a Certified Scrum Master.

Published by
Sukesh Mudrakola

Recent Posts

The new brain drain: What if WFH tech employees don’t come back?

Offices are reopening, but after months of a work-from-home routine, many employees may not want…

9 hours ago

Amazon Fraud Detector generally available

Online payment frauds are a threat to any company doing business on the Web. Amazon…

12 hours ago

Identity and access management sector buzzes with new funding, partnerships, solutions

Because no organization wants to end up in the headlines for a data breach, there…

15 hours ago

Remove virtual machines and virtual hard disks completely with PowerShell

Deleting virtual machines is easy, but if you don’t also remove virtual hard disks, you…

1 day ago

Secure your WordPress website: Simple steps to stay safe

Many small businesses use WordPress to build their website. And while WordPress has many options…

2 days ago

Qumulo raises $125M for cloud data management across a hybrid setup

Qumulo is an up-and-coming data management solution focusing on managing files in a hybrid setup.…

4 days ago