What is credential stuffing? And how to prevent it?

This post explains what is a credential stuffing attack and which are the countermeasures to prevent them.

A credential stuffing attempt can be caught as a behavioral anomaly – if you’re looking. Earmarked by the FBI as a particular threat to the financial service industry just over a year ago, the increase of internet traffic, data breaches and API usage all contribute to the perfect conditions for successful credential stuffing attacks. Here’s what you need to know about how they work, and how you can stay safe. 

What is credential stuffing?

Credential stuffing is a type of attack in which hackers use automation and lists of compromised usernames and passwords to defeat authentication and authorization mechanisms, with the end goal of account takeover (ATO) and/or data exfiltration.” In other words, bad actors glean lists of breached usernames and passwords and run them against desired logins until they find some that work. Then, they enter those accounts for the purpose of abusing permissions, siphoning out data, or both. 

Why is it so prevalent now?

It’s now easier and more economical than ever to come by lists of compromised credentials (many are posted free on hacker forums) and run low-sophistication credential stuffing attacks. Tooling-wise, hackers are also using the same efficient resources used to automate and defend, to automate and attack. These upgraded capabilities include scripting and automation tools, APIs and traffic throttling (to disguise brute force attacks as legitimate traffic).

Also, with the massive push to remote work, XaaS technologies and the rush to the convenience of apps, companies are relying heavily on APIs which are often underprotected. They aren’t customer-facing, and there seems to be a lag in protection owing to that. “Out of sight, out of mind” apparently does not apply to eager cybercriminals, however. And, there remains general bad hygiene surrounding the creation of usernames and passwords, with many being reused over multiple websites. That is the primary way – and indeed the premise upon which – credential stuffing works. You can’t access an account with recycled credentials if there aren’t any.

How credential stuffing attacks work

Here are several steps an attacker could take to implement a successful credential stuffing campaign:

  • Scope out the target and its APIs. Bad actors will look for hosting servers, domain names and vulnerable API endpoints. Over 50% of records breached over the last few years came from apps and APIs.
  • Gathers database of stolen credentials. These lists of pilfered usernames and passwords serve as the ammunition for the attack. If the set of them are reused wholesale, it’s an automatic in. If just one, brute forcing can more easily find out the other.
  • Create a tool to be automated and unsuspicious. Automated tooling or scripts will then brute force the stolen credentials against access points until one of them works. Most hackers make this look like legitimate user activity by limiting the number of attempts per hour.
  • Launch attack. It is common for attacks to be launched from the cloud, or various geolocations, to evade detection.
  • Learn from results and pivot to ATO. Hackers will check for success codes and often code all results into their automation tooling to make the attack ever more efficient in the future. Once they have obtained a workable login, ATO is achieved and data compromise begins.

How to stop credential stuffing attacks

Here are some primary methods for preventing credential stuffing attacks:

  • Multi-Factor Authentication (MFA). “Credential stuffing relies on automation scripts and tools that cannot easily provide additional factors of authentication, particularly mobile phone authenticator tokens or 2FA tokens sent through alternate channels such as email or SMS.” Salt Security says in their recommendations for how to defend against credential stuffing.
  • Good password hygiene and password managers. “If a password is weak or reused across multiple accounts, it will eventually be compromised.” content delivery network Akamai concluded in its State of the Internet report.
  • Runtime behavior analysis. Determine a baseline and identify abnormal behavior. In addition to warning of nefarious activity, it can protect APIs against data scraping, commonly used in credential stuffing attacks.

Secondary methods include:

  • CAPTCHA. Completing a CAPTCHA for each access attempt deters password sprays and nefarious logins. Although there have been cases of “CAPTCHA for hire”, adding on any additional costs reduces the ROI (and incentive) of the attackers.
  • Block-listed IPs. Basic attacks can pull from a small pool of IPs, which can be blocked after several failed login attempts. Public IP block lists are also out there, and you can add those to your list.
  • Fingerprint device. A device fingerprint is matched to your browser, and if the two ever don’t correlate, you’ll be prompted for additional verification. In that event, you should probably also change your password.
  • Provide unpredictable usernames. Instead of allowing email addresses which can be easily found (and guessed), require a distinct and secure username. You can provide a generated (not generic) username to improve user experience.

According to OSWAP , a nonprofit dedicated to making software safe, “In isolation none of these [secondary measures] are as effective as MFA, however if multiple defenses are implemented in a layered approach, they can provide a reasonable degree of protection.” It’s important to note that to avoid disrupting the user experience, secondary methods of authenticating can be employed on suspicious login attempts only.

Proactive Defense

Credential stuffing is a systemic problem with a simple solution. If everybody changed their logins tonight, the issue could be solved by morning. However, in lieu of that, best practices can be put in place and successful. MFA, CAPTCHA and limits on your API go a long way to discouraging hackers and securing access. However, the most effective proactive defense is to track traffic over time. That will identify anomalous patterns in traffic over time and point towards attempted attack, even if other methods fail to do so. 

About the Author: An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites. 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, credential stuffing)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

DORA Compliance Strategy for Business Leaders

In January 2025, European financial and insurance institutions, their business partners and providers, must comply…

2 hours ago

CISA adds Android Pixel, Microsoft Windows, Progress Telerik Report Server bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Android Pixel, Microsoft Windows, Progress Telerik Report…

9 hours ago

City of Cleveland still working to fully restore systems impacted by a cyber attack

Early this week, the City of Cleveland suffered a cyber attack that impacted multiple services.…

14 hours ago

Two Ukrainians accused of spreading Russian propaganda and hack soldiers’ phones

Ukraine’s security service (SBU) detained two individuals accused of supporting Russian intelligence in spreading propaganda…

15 hours ago

Google fixed an actively exploited zero-day in the Pixel Firmware

Google is warning of a security vulnerability impacting its Pixel Firmware that has been actively…

1 day ago

Multiple flaws in Fortinet FortiOS fixed

Fortinet released security updates to address multiple vulnerabilities in FortiOS, including a high-severity code execution…

1 day ago

This website uses cookies.