Credential Stuffing

What Is Credential Stuffing

Credential stuffing is an attack method that automatically tries ID and password combinations (credentials) leaked from past data breaches against other services. Its defining characteristic is exploiting password reuse - attackers use botnets to mass-test millions of credential lists obtained from the dark web.

This attack succeeds because many users reuse the same password across multiple services. Security research indicates that approximately 65% of internet users use the same password for two or more services, with attack success rates reported at 0.1% - 2%. While seemingly low, testing millions of credentials yields thousands to tens of thousands of compromised accounts.

Differences from Brute Force Attacks

While brute force attacks try every possible password combination, credential stuffing fundamentally differs by reusing actual credentials that were previously in use.

• Trial Pattern: Brute force tries many passwords against a single account. Credential stuffing tries one password each against many accounts
• Detection Difficulty: Brute force is easy to detect through consecutive failures on the same account. Credential stuffing only needs 1-2 attempts per account, making it hard to distinguish from normal login failures
• Success Rate: Brute force has extremely low success rates except for short passwords. Credential stuffing uses real credentials, giving it a relatively high success rate

How the Attack Works in Practice

Credential stuffing attacks are executed in the following steps.

1. Obtaining Credentials: Purchase leaked databases from dark web marketplaces. Sets of millions of email addresses and passwords are traded for just tens of dollars
2. Tool Preparation: Use automation tools like Sentry MBA or OpenBullet, configured for the target service's login form
3. Distributed Execution: Route through thousands of proxies and residential IP addresses to bypass IP-based rate limiting while executing mass login attempts
4. Exploiting Compromised Accounts: Successfully accessed accounts are exploited for fraudulent point redemption, personal data theft, and as a springboard for further phishing

E-commerce sites, streaming services, and gaming platforms are particularly targeted, with points and credit card information linked to accounts being the primary targets.

Effective Defenses

It's important to implement countermeasures from both the user side and the service provider side.

User-Side Measures

• Use a Password Manager: Generate and manage unique, complex passwords for each service. This is the most fundamental countermeasure
• Enable Two-Factor Authentication: Even if a password is leaked, login is impossible without the second authentication factor
• Check for Leaks: Regularly check whether your email address is included in leaked data using services like Have I Been Pwned

Service Provider Measures

• Rate Limiting and Anomaly Detection: Detect mass login attempts in short periods and block by IP or session
• CAPTCHA Implementation: Suppress automated bot attempts. However, sophisticated bots may bypass CAPTCHAs
• Password Leak Check API: Verify at registration whether the password a user is trying to set is in known leak lists
• Device Fingerprinting: Detect logins from unusual devices or browsers and require additional authentication

To learn more about this topic, see Credential Stuffing Attacks: The Danger of Password Reuse.

Common Misconceptions

My password hasn't been leaked, so I'm safe

Tens of billions of credentials have been leaked over the past decade, and if you use major services, there's a high chance you're in a leak list. Checking Have I Been Pwned reveals that most people are affected by at least one breach.

Slightly modifying a password makes reuse safe

Minor changes like changing "password123" to "password124" are ineffective because attack tools automatically try variations. You need completely different random passwords for each service.

Credential Stuffing vs. Brute Force Attack

Related Terms

Related Articles