The Credential Stuffing Guide: How To See & Stop Credential Stuffing Attacks

What do cybercriminals do with the information they obtain during a data breach? Most of the time, it results in credential stuffing.

Credential stuffing is a cyberattack where criminals systematically use stolen data to test usernames and passwords across multiple online platforms. Bad actors gain access to these accounts for financial gain, identity theft and other malicious purposes.

The most common cyberattack, credential stuffing accounts for over one-third of login attempts online. In fact, researchers identified 193 billion credential-stuffing attacks in 2020 alone. Because 65% of people reuse passwords on their accounts, it presents cybercriminals with an opportunity they can’t pass up — taking advantage of leaked credentials. And these opportunities are growing as more breaches lead to more exposed credentials than ever: the FBI sent businesses an official warning that credential stuffing is on a steep rise.

Yes, credential stuffing attacks are prevalent — they are also preventable. With the right cybersecurity measures in place, you can reduce or prevent the likelihood that your organization will fall victim to one. Here is what you need to know about credential stuffing, its impact on business and ways to keep it from affecting you.

How credential stuffing works

OWASP defines credential stuffing as:

“The automated injection of stolen username and password pairs (‘credentials’) in to website login forms, in order to fraudulently gain access to user accounts.”

Considered a subset of brute force attacks, credential stuffing typically relies on botnets to automate the process. Because people reuse their credentials, cybercriminals use the list of usernames and password pairs to try accessing multiple sites at once. The automated process often overwhelms IT infrastructures with traffic up to 180 times the average load.   

Once cybercriminals have access to accounts, they can use the user account and data for many purposes, including selling account access (such as Spotify, Disney+ and Netflix) for a discounted price and ordering high-value products by impersonating legitimate users.

Some of the industries that are typically targeted for credential stuffing include:

  • Financial services
  • E-commerce
  • Social media

While these platforms and businesses are the most at risk, other companies and industries aren’t free and clear. The rising number of data breaches means almost everyone is at risk of an attack.

(Learn about OWASP and the top 10 or understand common vulnerability types.)

The impact of credential stuffing attacks

While credential stuffing has serious ramifications for individuals, it can also devastate companies. One report found that companies lose $6 million on average to credential stuffing through lost customers, application downtime, and increased costs. Some of the most significant impacts on business include:

Corporate espionage and theft

While attacks primarily impact companies by hurting customers, this may be the most damaging attack for businesses. If an attacker takes over an employee or admin account, they can gain access to massive amounts of sensitive and valuable business data.

Cybercriminals can sell off trade secrets, intellectual property, confidential documents and strategic plans or use them to damage your company. They can also access internal communications, confidential files or proprietary data, depending on your employee’s level of access.

(Read more on corporate espionage.)

Financial loss due to fraud

Unauthorized access to users' accounts can lead to direct financial loss due to fraud, theft or the misuse of company resources. For example, companies may be forced to refund the cost of high-value items in the retail space. In most cases, you may also face regulatory fines for failing to protect customer data adequately.

Loss of customer trust

Customers are likely to feel violated and betrayed when they learn their sensitive information and data have been exposed.

If your business suffers from a credential stuffing attack, customers may lose faith in your company’s ability to protect their data and secure their accounts. This loss of trust can lead to reduced customer loyalty and potential loss of business.

Damaged brand reputation

Credential stuffing attacks can damage your brand’s reputation, as customers, partners and the public may perceive your organization as careless and having weak security measures. This perception can negatively impact your company image and discourage potential customers from engaging with the business.

The ripple effect on cybersecurity and internet infrastructure

In response to the attack, your business must invest in advanced security measures, such as implementing more robust authentication protocols or adopting advanced threat detection systems. These investments can increase operational costs and strain company resources.

Strategies for preventing & mitigating credential stuffing

While they are common, your business doesn’t have to fall victim to a credential stuffing attack. Here are the most effective ways to protect your organization from credential stuffing and mitigate the impact of an attack.

Robust security measures and response planning

Your cybersecurity is only as effective as the measures that you have in place. Regularly review and update your security policies, procedures, and technologies to ensure they’re effective against changing and evolving threats. It needs to include:

Response plans are also crucial for mitigating the effects of a potential credential stuffing attack. Develop and maintain an incident response plan that outlines the steps to be taken. Your plan should include procedures for identifying, containing and remediating the attack, as well as notifying any affected users and relevant authorities.

(Get the latest incident review best practices & metrics.)

Employee education and awareness

Your employees are a critical frontline of defense in your cybersecurity strategy. It’s critical that they have the education, awareness and practices in place to avoid falling victim to credential stuffing.

Regularly educate your employees about the risks of credential stuffing and why unique passwords are critical for protection. Provide them with training on recognizing and reporting suspicious activities if they notice something is off.

Implement robust password policies to encourage your employees to use strong, unique passwords for each account. Password policies should require a combination of upper and lower case letters, numbers, special characters and a minimum length.

Advanced authentication methods

Multi-factor authentication (MFA) requires users to authenticate their account with a device or access token they have is one of the best ways to defend your organization against credential stuffing. Bots will not have the physical authentication requirements.

MFA is not always possible for an entire user base. However, it can be combined with other techniques to maximize its effectiveness. For example, device fingerprinting can also ward off attacks. If your security senses a suspicious pattern, such as a high volume of requests or a unique browser, it can use MFA to verify that it is a human trying to access the account.

Machine learning and artificial intelligence in detecting attacks

Machine learning (ML) and artificial intelligence (AI) play critical roles in preventing credential stuffing attacks with their advanced detection and prevention capabilities. ML can analyze large data sets to identify anomalies that may point toward credential stuffing. By recognizing deviations in login attempts, user behavior and traffic patterns, they can detect and flag potential attacks in real time, allowing you to be proactive and take preventative action.

While many businesses try to take a proactive stance toward security, the evolving nature of cybercrime can make it challenging. AI can learn and adapt to changing threats. As the system detects new patterns of attacks, it can update its understanding and improve its ability to recognize future threats. In addition, it can automatically respond to detected credential stuffing attempts. Suspicious activity can trigger AI to block IP Addresses, temporarily lock accounts, or trigger multi-factor authentication.

ML and AI’s automated response can reduce potential damage caused by attacks and minimize the burden on security teams.

Implementing CAPTCHA and other bot-detection mechanisms

Requiring users to perform actions, such as CAPTCHA, to prove they are human can reduce credential stuffing. However, CAPTCHA is not a fool-proof system. Hackers can bypass these protection methods with headless browsers.

Other bot-detection methods besides CAPTCHA can provide another layer of protection:

  • Rate limiting. This restricts how many requests a user or IP address can make within your set time frames. By limiting the frequency of requests, you can slow down or prevent automated attacks.
  • IP blocking. IP reputation services identify and block IP addresses associated with known botnets, proxies, or other malicious activities. To be successful, it does require you to keep the IP blocklist as up-to-date as possible to prevent malicious traffic from reaching the website or application.

Typically, one method on its own will not be successful in thwarting all attacks. Using a combination of bot-detection mechanisms and best practices will help reduce the number of attacks and prevent a breach.

Fighting against the rising tide of credential stuffing

Credential stuffing is a growing threat that has real consequences for both individuals and businesses. Cybercriminals can use sensitive company information and unauthorized access to destroy companies, leading to financial losses, reputational damage and even corporate espionage.

To combat this threat, you must adopt a comprehensive password security approach. Robust measures should include strong password policies, multi-factor authentication, employee education, and implementation of bot-detection tools. Your organization can further enhance your ability to detect and respond to credential stuffing attacks by leveraging AI and ML.

It is only through a proactive and collaborative effort that you can protect your digital assets, safeguard user accounts and maintain the trust of your customers in an increasingly interconnected world.

What is Splunk?

This posting does not necessarily represent Splunk's position, strategies or opinion.

Kayly Lange
Posted by

Kayly Lange

Kayly Lange is a freelance writer. As a tech and SaaS specialist, she enjoys helping companies achieve greater reach and success through informative articles. When she’s not writing, she enjoys being out in nature, cooking, and reading a wide range of novels. You can connect with Kayly on LinkedIn.