In today's digital era, organizations carry the critical duty of defending their digital assets and user data against the rising tide of cyber threats. A key part of this responsibility is addressing the issue of user credentials reuse. Despite widespread advice to use unique passwords for each account, convenience leads most users to recycle their usernames and passwords across various services. 

This habit exposes systems to the risk of credential stuffing attacks, in which cybercriminals exploit these reused credentials to secure unauthorized access. Grasping the nuances of credential stuffing and establishing strong security practices is vital, so let’s see how you can do that.

What is credential stuffing?

Credential stuffing is a type of cyberattack where adversaries use previously breached credentials to gain unauthorized access to accounts across various services. These attacks are based on the premise that people tend to reuse usernames and passwords across online accounts. 

In a credential stuffing attack, cybercriminals use automated bots to systematically attempt logins with the stolen credentials on a wide range of websites. These automated attempts are made en masse, targeting many accounts across numerous sites in the hope that some of the login attempts will be successful.

If a credential stuffing attack is successful, the attacker can either sell the account access to another party or use it to carry out account takeover. According to former Google click fraud czar Shuman Ghosemajumder, credential stuffing attacks have a success rate of up to 2% on major websites.

Credential stuffing vs. brute force attacks

Credential stuffing is a subset of brute force attacks. While both these attacks follow some common themes, they have several noteworthy differences.

While credential stuffing attacks use stolen passwords to attempt logins, brute force attacks try to guess passwords by using dictionaries of common phrases or popular “boilerplate” passwords like Qwerty, 123abc, and Password. 

The way bots are programmed in credential stuffing and brute force attacks also differ. While credential stuffing bots are programmed to try the same username-password combination across a variety of sites, brute force bots are programmed to try multiple username-password combinations on the same site.

Brute force attacks can be prevented by requiring users to have strong passwords, limiting the number of failed login attempts on a web property, or using CAPTCHA. Credential stuffing is not that easily prevented, unless the user has strong and unique passwords for every online account.

Despite the above differences, the big commonality between credential stuffing and brute force attacks is that they both exploit the inherent weakness of passwords as an authentication method. While brute force attacks are based on the premise that people use common phrases and strings as passwords, credential stuffing relies on the assumption that people reuse passwords across accounts.

Credential stuffing vs credential harvesting

While both credential stuffing and credential harvesting are designed to compromise user accounts, they represent different stages in the cycle of cybercrime. Credential stuffing leverages existing compromised data for unauthorized access across multiple platforms, whereas credential harvesting focuses on the initial acquisition of user credentials through deceitful means. 

As the name suggests, credential harvesting’s goal is to collect username and password combinations directly from users through deceptive means. This technique often involves phishing, like sending emails that appear to be from reputable sources asking for sensitive information, creating fake websites that mimic legitimate ones to trick users into entering their login details, or distributing malware that captures keystrokes. 

The purpose of credential harvesting is to amass as many valid credentials as possible, which can later be used in credential stuffing attacks, sold on the dark web, or leveraged to gain direct unauthorized access to systems and data.

How credential stuffing works

Here’s how a typical credential stuffing attack looks in practice:

How credential stuffing works
Fig: How credential stuffing works
  • Attackers get hold of stolen usernames and passwords. Sadly, this is a relatively trivial exercise given the billions of leaked passwords present on the dark web and the continued success of phishing. 

  • Attackers feed the stolen username-password combinations into a botnet, which is a network of Internet-connected devices controlled by the attacker. Botnets and automation magnify the scale and impact of credential stuffing.

  • The botnets simultaneously attempt to “stuff” stolen credentials on multiple website login forms in parallel. 

  • If a login attempt is successful, attackers usually extract personally identifiable information, credit card details, and anything else that can be used for personal gain or follow-on compromise.

A successful credential stuffing attack presents many downstream opportunities for the attacker. 

  • They can sell the stolen (and validated) login credentials online, with streaming and entertainment services being common victims. 

  • They can enact e-commerce fraud by using saved payment details to complete high-value transactions, either for personal use or reselling. 

  • They can change the password and other settings to essentially steal the user’s online identity by locking them out of their account.

  • If account takeover is successful, the attacker can use the victim’s account as a vector to carry out new scams. For example, this Facebook scam involved attackers asking for money by masquerading as the victim’s friend stranded in another country.

  • If the attacker gains access to a victim’s work account, they can get access to all manner of sensitive and confidential information which can be sold to the highest bidder or used to hold the company ransom. People often reuse passwords across personal and work accounts, making this a non-zero possibility.

Learn more: Broken Authentication 101

Why credential stuffing is on the rise 

Credential stuffing is not a new phenomenon, but these attacks have grown rapidly over recent years. Research shows that on average one in five login attempts come from credential stuffing bots. 

A variety of market, technological, and societal factors have led to the continued growth of credential stuffing attacks:

  • The fallibility of passwords: Even though users know it’s not best practice, they tend to reuse passwords across multiple accounts. This, combined with the fact that email addresses often double up as usernames, increases the chances of a victim’s stolen credentials for one website being successfully used to access other websites. Passwords being a form of knowledge-based authentication (i.e. something the user knows) inherently drives behaviors that lead to poor security hygiene.  

  • Botnets: Today’s sophisticated botnets make credential stuffing more scalable and harder to detect. Bots can obfuscate or spoof their IP address to circumvent any security blocklists. They are also usually programmed to attempt login on a web application only once, allowing them to bypass any lockouts owing to repeated failed login attempts.

  • Low cost: The barrier to entry for procuring credentials and launching credential stuffing attacks is worryingly low. The prevalence of leaked passwords and stuffing tools mean that attackers just need a few hundred dollars and some patience to strike digital gold.  

  • Work and life digitalization: The rapid rise of remote work, social media and digitalizing almost every aspect of our lives (there’s literally an app for everything) has led everyone to expand their digital presence. This results in an incremental increase of online accounts and, therefore access credentials which ultimately further expands the available attack surface for perpetrators of credential stuffing.

Credential stuffing risks and impact

Credential stuffing brings a range of concerns for businesses, touching on operational, legal, financial, and reputational aspects. Let’s explore some of the risks and outcomes of these attacks:

Risks

  • Data breaches: Credential stuffing opens a door to unauthorized access, leading to possible data breaches. This exposes sensitive user and business information, sparking a range of issues for both.

  • Account takeover (ATO): Attackers can hijack user accounts, an act that’s particularly harmful for accounts with special access, leaving critical system areas vulnerable.

  • System downtime: High volume of login attempts can tax system resources, causing slowdowns or downtime. This affects user experience and disrupts operations.

Consequences of successful attacks

  • Data breaches and privacy concerns: A successful attack often leads to data breaches, endangering user privacy and pushing companies into legal troubles, especially under strict data protection laws.

  • Loss of customer trust: Trust is crucial online. Breaches tarnish a brand’s reputation, deterring customer engagement and fostering user turnover.

  • Legal and compliance issues: Failing to protect user data can breach regulations like GDPR or CCPA, attracting fines, legal challenges, and mandated actions.

  • Financial impact: The financial toll includes direct losses from fraud, increased security costs, legal expenses, and potential revenue drop from losing customers and harming the brand’s image. These impacts hit small to medium businesses particularly hard.

How to prevent credential stuffing

Theoretically, full credential stuffing prevention is possible if people use unique passwords for each of their accounts. However, the average person has 100 passwords to remember, making password reuse the most convenient (albeit unsafe) option. 

Password managers are another option – although one in five Americans use them, attackers just need access to one set of stolen credentials to negate the security they provide. There’s also the literal fear of forgetting the master password (or having it stolen), giving attackers access to all the victim’s login data.

However, there are some measures organizations can follow to ensure that attackers cannot use stolen credentials to impersonate their users.

Passwordless authentication

Using passwordless authentication can prevent credential stuffing at the source – if there are no passwords to steal or try on login forms, attackers will move on to their next target. Passwordless authentication verifies users with something they have (a device or security key) or something they are (biometrics) rather than something they know.

Passwordless authentication also improves the login experience for users and reduces overhead for organizations dealing with password storage and management as well as password reset processes. 

Multi-factor authentication

For organizations not yet ready to move away from passwords altogether, implementing multi-factor authentication (MFA) is an effective way at containing the impact of credential stuffing attacks. MFA enforces an additional factor after the username-password combination has been entered. Whether this is a one-time password sent via SMS or email, or a biometric check with a fingerprint, the attacker will not have access to any of them. 

While MFA prevents the attacker from gaining access to the user’s account, it does not prevent the attacker from knowing that the username-password combination was successful.

Password hashing

Organizations can use password hashing, which turns the password into a scrambled representation, before storing it in their databases. This will not prevent passwords from being stolen (or maybe even being descrambled), but it will increase the time window users have to change passwords on other accounts once a set of credentials has been stolen.

ReCAPTCHA

ReCAPTCHAs work by presenting puzzles or challenges that are easy for humans to solve but difficult for the stuffing bots to interpret. Integrating reCAPTCHA can prevent bots from submitting automated login requests, making it harder for attackers to execute large-scale credential stuffing attacks.

Breached password monitoring 

Organizations can check entered credentials against databases of compromised credentials like Have I Been Pwned to identify and stop credential stuffing in progress. If entered login details match credentials that have been breached, organizations can inform the user, ask them to change their password, or enact step-up authentication by requesting additional factors.

Example of an organization informing users about breached passwords
Fig: Example of an organization informing users about breached passwords

Prevent credential stuffing with Descope

Protecting applications from the widespread risk of credential stuffing is essential. It’s up to developers and product owners to undertake critical defensive actions by either setting up protection systems in-house or using third-party solutions geared towards prevention and mitigation.

Descope can help. Our drag-and-drop customer authentication platform helps organizations easily add signup, login, MFA, bot protection, and any other user journey interaction to their apps.

Hundreds of customers use Descope to go passwordless, thereby completely eliminating credential stuffing since there are no credentials to stuff. Our platform also makes adding strong MFA straightforward, adding an extra layer of protection to stop stuffing attacks in progress. Descope also has a strong integration with reCAPTCHA, helping developers add strong bot prevention controls to their auth flows by dropping in reCAPTCHA actions directly into user journey flows.

If you have a password-based auth system, Descope offers several capabilities to improve security levels without impacting UX. 

  • Our connector with Have I Been Pwned identifies user-submitted passwords that have been leaked in past breaches.

  • Configurable security requirements including password length and complexity help customers align their password flow with their app’s security needs.

  • Visual error handling and password reset processes greatly simplify the operational parts of strengthening a password-based flow’s security controls. 

Descope Have I Been Pwned connector image
Fig: Use Have I Been Pwned in your Descope Flows

Sign up for a Free Forever account with Descope to start your journey towards credential stuffing prevention. Have questions about our platform? Book time with our auth experts.