Credential stuffing: What it is and how to prevent it

Cyberattacks have become complex and sophisticated over the years due to technological advancements and greater security awareness among users. One such kind of attack that we’ll talk about today is credential stuffing. We will delve into what it is, and more importantly, how to prevent it from crippling your organization.

What is credential stuffing?

Password expiration

Credential stuffing is a cyberattack where the credentials stolen from one database or app are used to log into an unrelated service. Often, an automated service or bot is used to test the stolen credentials across different services used by the credential holder in the hope that some of these will share the same password.

For example, let’s say a hacker hacks his way into an organization’s database and collects employees’ passwords. Now, he will use the same passwords to log into the bank account of that employee. This attack often stems from the practice of reusing passwords for easy remembrance. Even in this age of repeated mantras of how important it is to use unique passwords, recycling the same password is way more common and complex than you’d imagine. According to DataProt, 51% of people use the same password for both their work and personal accounts. Further, 78% of Gen Z users use the same password for many online service accounts.

This habit of reusing passwords makes it easy for hackers to access unrelated accounts through the credential stuffing attack.

How common is credential stuffing?

To know how common credential stuffing is, let’s take three major attacks in the last decade.

  • In 2011, more than 93,000 customers at Sony were affected due to credential stuffing
  • The 2012 Dropbox breach brought the spotlight on credential stuffing as Dropbox said that the credentials were stolen from other online services and the same were used to log in to Dropbox.
  • The JPMorgan breach in 2014, where the username and passwords used in JPMorgan-sponsored annual charity races were used to log into the holders’ bank accounts.

Further, a report by F5 Labs shows that the number of credential stuffing or spill incidents doubled from 2016 to 2020, though the annual volume of affected accounts has declined over the same period.

Here’s a look at the numbers.

credential stuffing
F5 Labs

Credential stuffing causes

The credential stuffing process goes through five distinct stages. In the first stage, the stolen credentials are known only to a handful of people, and they leverage it across organizations, which is also the most profitable phase for hackers. As these credentials circulate on the Dark Web, more people start using them, which is when the rate of attack goes up significantly.

When organizations notice this spike in attacks, they inform the users, and in turn, the users change their passwords. As a result, the volume of attacks tapers down, though some attackers continue to try them occasionally in the hope that users recycle their passwords over time.

As you can see, the fundamental cause of credential stuffing is the users’ bad habit of reusing or recycling passwords. But besides that, other causes contribute to this type of attack.

Role of aggregator services

Many aggregator services like Mint give users a consolidated view of their finances. At the same time, these services become a single point for credential stuffing, thereby giving attackers access to all the financial information of users in a single place.

Worse, many bank APIs and security systems allow access to these aggregator services, which means attackers have unfettered access to bank systems and accounts when they know the login credentials for these aggregator sites.

Lowering the guard

Users often reuse their password after a few months simply because it’s easy to remember. For example, let’s say a hacker steals John’s credentials and uses them to log into his bank account. As soon as the bank knows about it, the information is passed to John, and he changes his password right away.

After about a year, John goes through the password change lifecycle and reuses the same hacked password because John doesn’t remember the incident and the compromised password, and the bank doesn’t raise a flag either.

Attackers, however, know this pattern, and this is why they try the stolen credentials at regular intervals. All these mean that John’s bank account is a sitting duck waiting to be hacked.

Takes time to identify the credential stuffing attack

According to F5 Labs, it takes about 120 days to identify a credential stuffing attack and about 15 months to make it public. This is plenty of time for attackers to glean the required information from sensitive services.

Advancements in bot technology

The rate of success of credential stuffing attacks is low, typically around 0.1%. However, the emergence of bot technology has increased the success rate as these bots can continuously try passwords and their combinations across services rather quickly.

Thus, these are some of the common causes for credential stuffing.

Now that you know the possible causes, let’s turn to the more important section on how you can mitigate or prevent them.

How to prevent credential stuffing?

Here are some best practices for both individuals and organizations to prevent credential stuffing.

Sound password practices

credential stuffing

The best way to prevent this attack is to avoid reusing the same password across different services. While it is inconvenient for users to remember multiple passwords, there is simply no other foolproof way to prevent this attack.

Emerging paradigms and frameworks in digital identity such as federated identity management where you use single sign-on services like Google and Facebook to access multiple services, or self-sovereign identity (SSI) that uses secure digital wallets to store your passwords are some ways to prevent these attacks.

Either way, the onus is on the user to create varied, unique, and hard-to-crack passwords. More importantly, unique passwords must be used for each online service, even if it’s inconvenient.

Two-factor authentication

Two-factor authentication is another well-known strategy to thwart credential stuffing. In this authentication, the online service sends a secret code to a user’s email address, phone number, or authenticator app, and the user has to enter this secret code to log in.


This process greatly reduces the chances of a credential stuffing attack because a hacker may not have access to a user’s phone number or email address (hopefully). Sometimes, multifactor authentication is used, where a code is sent to both the registered email ID and the phone number.

Depending on the sensitivity of the transaction or service, organizations choose two or multifactor authentication.

Captcha code

Credential stuffing attacks are a nightmare for organizations because they are not due to a breach or vulnerability in their respective networks. At the same time, they can only give a guideline for users to have strong passwords but can’t prevent them from reusing passwords from other services.

In such cases, captcha codes can be a line of defense to prevent bots from accessing their service. However, this is not foolproof, as hackers have found ways to work around captcha codes.

Advanced detection

Companies can use advanced monitoring solutions to identify a spike in logins or transactions and notify the users of the same. Similarly, they can use a technique called rate-limiting to identify bot traffic and stop them from multiple login attempts.

Many advanced bot management services also prevent credential stuffing.

Biometric prints

biometric credential stuffing

Credential stuffing can also be avoided with biometric prints, where a user’s fingerprint or retina is used for accessing a service. This way, stolen passwords have no meaning for hackers.

Device fingerprinting is also a good option where a combination of parameters such as the operating system, browser, time zone, and device are checked. If these seem to be different from the ones in the record, the company can send an alert to users.

IP blacklisting

When there are multiple login attempts from the same IP address, the system must blacklist or sandbox this IP address to prevent further attempts and notify the user about this attempt.

Organizations can also check if this IP matches the previous logins to ensure that the alert is not false positives.

Thus, these are some strategies to prevent credential stuffing. Often, organizations use a combination of two or more techniques to beef up their system.

What strategies do you use in your organization to prevent credential stuffing? As a user, what do you think is the best way to avoid reusing passwords without compromising inconvenience? Is it even possible?

Share your thoughts with us in the comments section.

Featured image: Shutterstock

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top