Credential stuffing is one of common type of cyber attack, which is often aggravated by common practice of reusage of password. According to a study 81% of users have reused same password for several times across multiple websites and applications. Even a less success rates of 0.1% to 3% can compromise thousands of accounts, which results in multiple exploitations and significant damage to business. To prevent and address credential stuffing attacks, it is very important to adopt strong and reliable security measures.
This blog explains the fundamentals of credential stuffing and best practices to prevent it effectively.
What is Credential Stuffing
Credential stuffing is a type of automated brute force attack, where cyber attackers make use of stolen credentials that are often sourced from previous data breaches to get unauthorized access to user accounts on various websites. It is also known by the names password spraying or credential spilling. This technique exploits the reuse of username and password combinations by people across different platforms. After gaining the access, attackers can engage in activities like unauthorized transactions, identity theft and data breaches which can result in significant financial losses.
How Does a Credential Stuffing Attack Work?
This is how the credential stuffing attack works:
Attackers gather huge batches of compromised credentials from previous data breaches, phishing, or the dark web.
They make use of automated bots or tools or test these credentials rapidly swiftly, against login forms on various websites, anticipating that users have reused the same passwords repeatedly across multiple platforms.
If the login attempt is successful, the attacker can easily get unauthorized access to user account, which can then be used for fraud, data theft, further attacks, or sold to other criminals.
6 Stages of Credential Stuffing Attacks
Credential stuffing attacks typically unfold in several different stages by automation and large-scale credential leaks to compromise user accounts which makes it a persistent and highly effective threat. Here are various stages of credential stuffing:
Data Acquisition: Attackers start the attack by gathering large set of stolen credentials which are usually collected from previous malware infections, phishing campaigns, data breaches or purchased on dark web marketplaces.
Preparation and Sanitization: The attackers then sanitize theses credentials, organize and validate them to improve the chances of successful logins. This process includes removing expired, duplicates or invalid credentials.
Target Selection: After the sanitization process, attackers choose which websites, applications or services to target, mostly prioritizing on popular platforms where repetitive usage of credentials is common and the success rate is high (such as e-commerce, banks or streaming services).
Automation and Execution: Once the target is selected, attackers systematically make attempts to log in to the target website and other platforms using the stolen credentials through automated tools and bots. They distribute all these attempts across many IP addresses to prevent them from being detected from security controls and rate-limiting defenses.
Identifying Successful Logins: Post the successful login attempt by the attackers, the compromised accounts are then exploited for fraud, data theft, resale, or further attacks.
Monetization and Exploitation: Attackers then monetize their unauthorized access by committing financial fraud, stealing sensitive information, selling the access to other attackers, or continue future attacks from the compromised accounts.
Real-World Examples of Credential Stuffing Attacks
Credential stuffing attacks have majorly impacted a wide range of business organizations, from tech companies to banks and retailers. Here are few notable recent examples:
PayPal - 2022
In 2022, nearly 35,000 PayPal user accounts were accessed by attackers using stolen credentials in a credential stuffing attack. The exposed information consisted of user's full names, birthdates, addresses, and social security numbers. PayPal took immediate measures by securing affected accounts and advised users to reset and apply strong passwords.
23andMe - 2023
A credential stuffing attack compromised about 6.9 million customer records at 23andMe. Attackers used previously leaked credentials to access accounts and took advantage of users password reusage and the insufficient multi-factor authentication.
Roku - 2024
Roku experienced two big credential stuffing attacks in 2024, which affected a total of 591,000 customer accounts. Attackers used stolen credentials from unrelated breaches to access user accounts to make unauthorized purchases and view their account details. Roku took immediate measures by resetting the passwords, reversing fraudulent charges, and also enabled two-factor authentication for all users.
Levi’s - 2024
Levi’s suffered a credential stuffing attack that compromised over 72,000 customer accounts. Attackers made use of automated bots and stolen credentials to gain access to personal and order information of customers. The company enforced immediate password resets and issued warnings to its customers to update their credentials.
General Motors - 2024
General Motors identified unauthorized purchases and data access in 65 customer accounts after a credential stuffing attack. The company asked all of the customers to reset their passwords and enabled multi-factor authentication for affected users.
How to Prevent Credential Stuffing
Credential stuffing attacks exploit the reuse of credentials across multiple platforms, posing significant risks to organizations. The Cloud Security Alliance (CSA) outlines nine best practices to mitigate these threats effectively:
Implement CAPTCHA
CAPTCHA acts as a common security tool to distinguish humans from automated bots. By allowing users to complete tasks such as selecting typing distorted characters or specific images, CAPTCHA helps restrict automated tools used in credential stuffing attacks. However cyber attackers techniques keep advancing over time and some bots learn to bypass CAPTCHA, to avoid such risks, it is better to implement this practice alongside other security measures for better security.
Adopt Password less Authentication
Strong passwords can prevent unauthorized access to an extent, but adopting password less authentication provides a higher level of security. This method removes the need for traditional usernames and passwords by depending on "who you are" instead of "what you know." Authentication is usually conducted using hardware tokens, biometrics, or one-time codes delivered through secure channels which improves security and user convenience.
Enforce Strong Password Policies
Implement policies that enforces mandatory minimum password lengths and complexity requirements. Conduct regular practice for password changes and prevent the reuse of previous passwords. Apart from this, set up account lockout policies after several failed login attempts to restrict brute-force attacks.
Continuously Monitor to Identify Suspicious Activity
Continuous monitoring is important to detect and respond to credential stuffing attacks quickly. Establish a system to map and analyze login attempts, user behavior and account activities. Set up alerts for any unusual activities and regularly monitor logs and audit trails to detect potential security challenges.
Promote Credential Hygiene Among Employees and Users
Encourage users to create strong, unique passwords for each account, with a mix of uppercase and lowercase letters, numbers, and special characters. Also regularly updating passwords and making use of password managers can improve security for users.
Apply Multi-Factor Authentication (MFA)
MFA offers an additional layer of security by asking users to provide additional verification methods, such as a unique code, physical device or biometric data, which makes unauthorized access difficult to crack, even if credentials are compromised.
Implement Web Application Firewalls (WAFs)
WAFs help protect against various threats by blocking suspicious login attempts and monitoring for behaviors typical of credential stuffing. Regularly updating and monitoring your WAF ensures it remains effective against new threats.
Incorporate Single Sign-On (SSO)
SSO lets users to authenticate once and access multiple applications securely without the need to log in repeatedly. This practice not only simplifies user access but also minimizes the risk of credential theft.
Conduct Training for Employees to Identify Suspicious Sites
Provide training to help employees identify phishing emails and suspicious websites. Train them to properly verify website authenticity by looking for HTTPS in URLs and to report any suspicious activities on time.
Credential Stuffing Attack vs Brute Force Attack
Credential stuffing and brute force attacks might look similar, as they both focus on cracking passwords and gaining unauthorized access to user accounts. But, if we go into detail, they actually differ in their techniques and the type of data they exploit. Here are some of the differences between credential stuffing attacks and brute force attacks.
Aspect | Credential Stuffing Attack | Brute Force Attack |
|---|---|---|
Definition | Uses stolen username-password combinations from data breaches to get unauthorized access across multiple platforms. | Try attempts on all possible password combinations to crack the right one for a specific user account. |
Primary Method | Automated testing of commonly known credentials across multiple websites. | Extensive trial-and-error strategy to identify passwords without any knowledge. |
Data Reliability | Depends on currently leaked credentials from previous breaches. | Operates independently by guessing passwords. Does not require prior data |
Automation Level | Utilizes automated bots to test numerous credentials at a faster rate. | Limited automation because of the complexity and length of password combinations. |
Success Rate | Low success per attempt (approximately 0.1% to 3%) but high success rate, overall because of volume and password reuse. | Varies; lower for complex passwords and slightly higher for commonly used passwords. |
Target Accounts | Various accounts across different websites or platforms using same credentials. | Mainly prioritizes single account, by trying different password combinations. |
Detection Difficulty | Very challenging to detect because of valid credentials and distributed attack patterns. | Comparatively easy to detect via multiple failed login attempts and unusual login patterns. |
Commonly Used Tools | Uses automated bots and scripts to take advantage of stolen credential lists. | Uses password cracking software tools that produces various password combinations. |
Final Thoughts
By implementing appropriate security measures and understanding the distinctions between other similar attacks, security teams can improve defense against unauthorized access attempts.
Protect your API’s from credential stuffing and brute force attacks with Akto’s all inclusive API security platform. Akto offers over 400 built-in case studies that effectively target threats and vulnerabilities like credential stuffing, CAPTCHA bypass, user enumeration and session management flaws. Its continuous monitoring and automated token handling ensures authentication flows are properly and vigorously tested, which significantly improves APIs resilience against unauthorized access.
Book a demo today to see akto in action and learn about more features.!
Want to learn more?
Subscribe to Akto's educational emails for essential insights on protecting your API ecosystem.