Credential stuffing takes advantage of password reuse to allow an attacker to hijack a user’s online accounts. If someone uses the same password across multiple websites or online accounts, then a breach of user credentials from one of these sites could allow an attacker to access all accounts that use the same credentials.

What is Credential Stuffing?

Credential Stuffing - 2318301718 SEO Credential Stuffing 612X404 1

A credential stuffing attack takes advantage of the fact that many people reuse the same or very similar passwords across multiple online accounts. A credential stuffing attack starts with the exposure of a user’s password for an online account via a data breach, phishing attack, or other means.

Once an attacker has this password, they’ll try to use it to authenticate to other online accounts. For example, a password from a social media account may be used on other social media sites, email accounts, financial institutions, etc. Attackers will also commonly try to authenticate as the user to corporate email and other accounts.

With credential stuffing attacks, a reused password is only as strong as the weakest account using it. Password reuse across multiple sites could give an attacker the ability to access online banking and corporate email accounts after a data breach at a minor website where someone created an account.

Credential stuffing attacks can be easily automated using a botnet. As a result, they are one of the most common cyberattacks. Bots can be provided with long lists of compromised credentials and target websites and will work through them, identifying any accounts for which passwords were reused.

Example of Credential Stuffing

In 2021, customers of Verizon Visible, the mobile operator’s budget offering, were the victims of a credential stuffing attack. The attacker used a credential stuffing attack to gain access to the accounts of the company’s customers and then used their stored payment card or account information to order new iPhones that were then shipped to the attacker.

Credential Stuffing vs. Brute Force Attacks

Credential stuffing and brute force attacks are both forms of password guessing attacks. However, they take very different approaches.

Credential stuffing attacks take advantage of the fact that most people have poor password security and reuse passwords across sites. In fact, a Google survey found that 65% of people reuse passwords across multiple accounts. This means that an attacker with a verified password for one account has excellent odds of finding another account with the same login credentials.

A brute force password guessing attack, on the other hand, is designed to find passwords by trying every possible combination.  While this is guaranteed to succeed eventually, it can take a very long time, and the password may be changed before the attacker succeeds.  The effectiveness of these attacks depends on the password length, the algorithms used to securely store a password, and whether the attack can be performed online (via a web portal) or offline (testing against a breached password hash).  In most cases, brute force attacks are too slow to be worth the effort.

Credential Stuffing - 2318301718 SEO Credential Stuffing 612X404

Credential Stuffing Prevention

Credential stuffing attacks take advantage of the fact that people commonly reuse the same password across multiple different online accounts. The simplest way to protect against credential stuffing attacks is to use a unique password for every online account.

However, this does not protect against other password-related security risks. For example, having unique but weak passwords for each account might leave a user vulnerable to a dictionary attack, where an attacker tries to authenticate using a list of common words and passwords. Passwords are also vulnerable to phishing attacks, where an attacker attempts to trick a user into handing over their password.

Multi-factor authentication (MFA) can help to protect against credential stuffing attacks. By requiring multiple factors to log into an account, MFA makes it much more difficult to take advantage of a compromised password.

However, passwords are an inherently weak form of user authentication. The best way to prevent credential stuffing and other password-based attacks is to eliminate passwords altogether. Passwordless authentication, which authenticates users based on biometrics (fingerprint scanners, facial recognition, etc.) or possession of a trusted device, provides much stronger user authentication and complete immunity to credential stuffing attacks.

Credential stuffing is an attack in which a user tests if someone reuses the same breached credentials across multiple online accounts. For example, if a user’s credentials on a social media site are leaked, an attacker will attempt to use the same credentials to log in to online banking, email, and other online accounts.

Credential stuffing attacks are commonly automated using botnets and a list of compromised credentials. Each bot will go through its list of credentials and try to log into a set of online accounts with them. If the login succeeds, the bot will report this fact to the botnet operator.

For password-based authentication systems, the best defense against credential stuffing is to use unique passwords on each online account and to enable multi-factor authentication (MFA) wherever available. However, when possible, it is better to move away from passwords entirely to a passwordless authentication scheme.

Credential stuffing attacks are some of the most common cyberattacks. The reason for this is that these attacks are easily automated, enabling cybercriminals to use massive botnets to rapidly test lists of compromised credentials over many different websites.

No, credential stuffing is an attack on the user authentication process. An attacker tests to see if someone uses the same set of breached credentials across multiple online accounts.

Learn More About Transmit Security

We use cookies to provide the services and features offered on our website and to improve our user experience. Learn More.