Go to page content

Are you getting stuffed?

You came up with a strong password. You do the right thing and make sure that it has a combination of numbers, uppercase letters in the middle, a couple of well-placed symbols and dollar signs, and it ends with an upside-down question mark. Perfect. Now you can use this password on every one of your accounts. And that’s how they get you.

Get stuffed blog

What is credential stuffing?

In simple terms, credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials typically consisting of lists of usernames and / or email addresses and the corresponding passwords (often from a data breach) and then uses the credentials to automatically fill in website login forms to gain unauthorised access to user accounts through large-scale automated login requests directed against a website.

Credential stuffing has been seen in use across a range of different industry sectors as a method to gain unauthorised access to accounts.

It works similarly to a brute force attack, by attempting to gain unauthorised access to user accounts on a site or service via multiple login attempts. However, instead of randomly generating multiple password guesses against a service (as in a brute force attack), credential stuffing exploits people's tendency to reuse username and password combinations. Here attackers fraudulently obtain valid combinations for one site and then use them across other sites to try and gain access to accounts. Any website that requires an online login is potentially vulnerable.

So let’s say a hacker gets your username and password by stealing data from a company database. Then they try that username and password across a range of other sites until, ‘ping’, they get in - because you reused the same credentials.The attacks are automated and often large scale. One data breach can put many other accounts and organisations at risk. As credential stuffing enables an attacker to gain access to an account using legitimate credentials, it can cause a data breach without penetrating a company's infrastructure or systems.

The primary motivation for these types of attacks is financial gain but also includes the theft of Personally Identifiable Information (PII) such as credit card details which can lead to identity theft.

Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number (thousands to millions) of previously discovered credential pairs using standard web automation tools.

How does it happen?

What makes credential stuffing effective? Statistically speaking, credential stuffing attacks have a very low rate of success. Many estimates have this rate at about 0.1%, meaning that for every thousand accounts an attacker attempts to crack, they will succeed roughly once.

But credential stuffing attacks are possible because many users reuse the same username / password combination across multiple sites, with one survey reporting that 81% of users have reused a password across two or more sites and 25% of users use the same passwords across most of their accounts.

What is credential stuffing vs password spraying?

While password spraying involves testing multiple passwords against a user account, credential stuffing is a type of brute force attack that depends on automated tools to test massive volumes of stolen passwords and usernames across multiple sites until an account gives in.

Why is it on the rise?

There are several reasons why Credential stuffing is a growing risk:

  • Availability of data: In recent years, tens of billions of usernames and passwords have been stolen or leaked. These credentials are posted for purchase on the dark web. They can be used as the starting point for credential stuffing attacks.
  • Technology advances: Credential stuffing attacks leverage bots or other intelligent automation tools to attempt to login to several accounts in a matter of seconds. Because these bots are programmed to test a specific user ID and password combination, the tool only attempts to log in to a given system once. This allows the tool to bypass many traditional security measures, including those that block IP addresses that have too many failed login attempts.
  • Remote working from home: The COVID-19 pandemic accelerated the remote workforce trend and left many companies unprepared to defend a distributed network. Attackers have exploited this shift and are using account credentials from personal accounts to attempt to access business devices and services.

Detection is virtually impossible. In a successful credential stuffing attack, adversaries impersonate a legitimate user, such as an employee, contractor or even a third-party supplier. This, coupled with the absence of malware or other attack vectors, makes it extremely difficult to detect a credential stuffing attack through traditional cybersecurity defences.

How does a credential stuffing attack work?

With Credential stuffing attacks hackers follow a relatively simple process.

Firstly, they leverage stolen account credentials or buy breached credentials on the dark web. These credentials are usually the spoils of a massive data breach or other cyberattack. In most cases, such information can be bought extremely cheaply.

Secondly, with the credentials for at least one online account in hand, the attacker then sets up a botnet or other automation tool to attempt to log into multiple unrelated accounts simultaneously. Usually, the bot has a feature which obscures or spoofs the IP address to avoid triggering security tools which may block foreign or unusual addresses.

Finally, the bot then checks to see if access was granted to any secondary services or accounts. In the event the login attempt was successful, the hacker will gather additional information, such as personal data, stored credit card information or bank details.

How to avoid credential stuffing?

There are 4 simple things you can do to protect yourself against credential stuffing: -

  • Use enable two-factor authentication wherever is possible
  • Use a different password for each of your accounts
  • Use a password manager to generate automatic passwords
  • Use a strong password for each account. This will make it harder for compromised passwords to be reverse hashed.

Weak, unsecured, stolen, and reused passwords lead to cybercrime. They let hackers access your system and exploit the information in whatever way they want. You can even lose your lifetime savings if someone steals your passwords.

There’s not much to be done about taking back past breaches nor to reclaim stolen credentials. But you can take some steps for the future:

Firstly of course, don’t reuse usernames or passwords. You can use a password manager that will help you generate random usernames and passwords and never use any of them twice. A password manager means you don’t have to try and remember lots of different combinations, it does it for you.

To cut down the risk of any of your login information being stolen, use Rightly Protect, our tool that will help you identify all the companies that have any of your personal data and get it deleted from the systems of those that no longer need it.