Credential stuffing is a growing cybersecurity threat that targets the way people reuse passwords across different websites.
In these attacks, criminals take lists of stolen usernames and passwords from one data breach and try them on other online services in bulk.
This automated process aims to find any accounts where users have reused their login details.
Even though each attempt has a low chance of success, the enormous number of leaked credentials available means attackers can still hijack thousands of accounts overall.
Credential stuffing is a type of cyberattack where attackers use stolen login credentials from one company or service and attempt to log in to another, unrelated service with those same details.
In simpler terms, hackers ‘stuff’ a website’s login form with username/password pairs that were obtained from past data breaches.
The goal is to gain unauthorised access to user accounts by exploiting the fact that many people reuse the same passwords on multiple sites.
Unlike techniques that try to guess passwords, credential stuffing relies on known valid combinations.
Attackers acquire large databases of compromised credentials and use automated tools to test them on different websites.
If a user has reused their email or username and password on another platform, the attacker might get in.
This attack has become widespread because massive lists of leaked passwords are readily available online.
This is why credential stuffing remains a serious threat.
An attacker uses credentials from one breached site to try logging in on multiple other websites, hoping some users reused their passwords.
Credential stuffing attacks generally follow a predictable pattern.
First, the attacker obtains a large collection of login credentials.
This is often from a recent data breach, leaked database, or purchased on dark web forums.
These lists can contain millions or even billions of username/password pairs gathered from many incidents over time.
Next, the attacker loads these credentials into an automated tool or botnet designed for bulk login attempts.
The tool might use scripts or dedicated software to rapidly try each stolen username and password on the target website’s login form.
Sophisticated attackers distribute the login attempts across many IP addresses or devices to avoid easy detection.
They may also program the bots to mimic normal user behaviour.
For example, inserting small delays or using varied browser identifiers, so that the login traffic doesn’t look obviously malicious.
The attacker will then let the automated login attempts run.
The vast majority of logins will fail because most stolen credentials won’t match accounts on the target system.
However, even a tiny success rate can be lucrative.
Statistics put the success rate of credential stuffing at around 0.1% to 2%.
That means if an attacker tries a million stolen logins, hundreds or a few thousand could work.
This would grant them access to those user accounts.
Once a valid username and password combination is found for a site, the attacker typically records it as a ‘hit’.
They can then exploit these compromised accounts in various ways.
For instance, they might take over the account to steal money or data, perform fraudulent transactions, or abuse any saved payment details.
In many cases, attackers will also bundle and sell these working login credentials to other criminals.
Since a username and password that is known to unlock an account on one service is a valuable commodity in the underground market.
Several factors make credential stuffing effective.
Chiefly, it exploits poor password habits.
The attack only works because so many users reuse passwords or choose weak ones.
Also, the sheer scale of available stolen credentials means attackers have an almost endless supply of accounts to try.
Automated tools enable them to test credentials against a large number of websites in a short time.
Additionally, basic cybersecurity measures like IP blocking or account lockouts might not trigger during credential stuffing.
This is due to the fact that the attacker typically uses each credential set only once (one attempt per account) and often spoofs or rotates IP addresses.
All of this allows the attacker to fly under the radar of simple defences while systematically checking for matches.
Credential stuffing has impacted a wide range of companies and online platforms in recent years.
One notable example occurred in 2019 with Deliveroo, a food delivery service.
Attackers used stolen credentials to log in to Deliveroo customer accounts and placed fraudulent orders.
This caused some customers to be charged for meals they never actually ordered.
Financial services have also been targeted.
In late 2022, PayPal announced that about 35,000 user accounts were accessed by unauthorised parties in a credential stuffing attack.
The hackers had obtained login details from elsewhere and were able to log in to PayPal accounts because those customers reused the same passwords.
Fortunately, PayPal reported no fraudulent transactions, but they did have to reset all affected passwords and notify users.
HSBC,one of the world’s largest banks, revealed a major credential stuffing incident that put many clients’ financial information at risk.
Even companies entrusted with security have fallen victim.
In 2023, Norton LifeLock, a provider of identity protection services, had about 925,000 customer accounts targeted in a credential stuffing attack.
Attackers attempted logins using lists of leaked credentials.
Even though Norton’s own systems weren’t breached directly, they had to alert customers that their accounts might be at risk due to credential reuse.
Another high-profile case in 2023 was 23andMe, a genetic testing company.
Attackers used credential stuffing to access around 1 million lines of customer data from 23andMe user accounts.
This exposed sensitive personal information and demonstrated that even DNA and health-related services are not immune to such attacks.
Detecting credential stuffing can be challenging because the attack attempts are designed to blend in with normal user login activity.
Unlike a traditional brute-force attack that might trigger obvious red flags, credential stuffing often uses a ‘low-and-slow’ approach distributed across many accounts and devices.
However, there are still tell-tale signs and defensive techniques that organisations can use to identify these attacks.
One major indicator is a surge in overall login traffic or an unusual pattern of failed logins.
If you see a spike in login attempts system-wide, it could signal a credential stuffing bot running through credential lists.
These attempts might be spread out over many user accounts to avoid triggering account lockouts, but the overall volume will be much higher than normal.
Monitoring for unusual login patterns is key.
This includes watching for multiple login attempts to many different accounts from the same device or network, logins for a single account coming from many different geographical locations in a short time.
Such anomalies can reveal that automation is at play rather than genuine users.
Another clue can be an increase in customer account lockouts or password reset requests.
If many users suddenly get locked out because wrong passwords were tried, it might be due to attackers testing passwords.
Similarly, if you use an identity protection service, you might get alerts of compromised passwords being used.
Some advanced attacks try to avoid even these signs by using each credential pair only once.
This makes detection harder.
In those cases, organisations rely on more advanced bot detection techniques.
IT security systems can employ device fingerprinting and IP reputation analysis to pick up on subtler signals.
For instance, detecting if a supposedly different user login is actually coming from a known malicious source or if the typing speed and pattern of form submission are unnaturally fast and uniform across attempts.
Web application firewalls (WAFs) and specialised bot management services can correlate activity across many accounts.
They can recognise when a credential stuffing campaign is underway.
For example, by identifying scripts that try to mimic real users but with slight inconsistencies or known signatures of attack tools.
Preventing credential stuffing requires action on two fronts: individual user practices and organisational security measures.
At the user level, the most effective defence is to avoid password reuse entirely.
If every account has a unique password, a leaked password from one site cannot be used to break into another.
Users are encouraged to use unique passwords for each service.
A password manager can help generate and remember complex passwords so you don’t have to reuse them.
Enabling multi factor authentication (MFA) on accounts wherever possible is a critical safeguard.
MFA means that even if attackers have the correct password, they still cannot log in without the second factor.
This step prevents the vast majority of credential stuffing attempts from succeeding, because the stolen password alone is insufficient to access the account.
For organisations, completely stopping credential stuffing is challenging because the breach of credentials typically happens elsewhere.
However, there are several measures that significantly reduce the risk.
One approach is to implement rate limiting and CAPTCHA challenges on login attempts.
By limiting the number of login tries allowed per IP address or per minute, and using CAPTCHAs to verify real human users, companies can slow down or disrupt automated login tools.
This may inconvenience legitimate users slightly, but it helps keep automated bots at bay.
Some services also check passwords against databases of known leaked credentials at the time of account creation or password change.
If a user attempts to use a password that has appeared in a public breach, the system can warn them or forbid its use.
This prevents users from securing their account with a password that hackers might already have.
A key protective measure is robust bot detection and blocking.
Modern bot management solutions use a combination of techniques like IP reputation (knowing which IPs are associated with malicious activity).
They can also do behavioural analysis and machine learning to distinguish automated login attempts from genuine users.
These systems can automatically flag and block traffic that looks like it’s coming from credential stuffing tools.
User education and robust password policies are important preventive measures.
Organisations should educate their user base and employees about the dangers of reusing passwords and phishing.
Encouraging or enforcing the use of strong, unique passwords can reduce the chance that one breach will lead to another compromise.
Regularly reminding users to update old passwords and providing tools like single sign-on or password managers can foster safer password habits.
Credential stuffing is a dangerous and pervasive threat.
It is fuelled by the unfortunate reality that people often reuse passwords.
It takes advantage of the continuous stream of data breaches that supply billions of stolen login credentials to cybercriminals.
With easy-to-use automated tools, attackers can test these credentials on numerous websites and seize any accounts that unlock.
The impact can be severe, from fraudulent transactions and data theft to reputational damage for businesses and financial loss for users.
The good news is that both users and organisations can take steps to defend against credential stuffing.
Ultimately, credential stuffing exploits human habits as much as technology.
By fostering better password practices and deploying robust security measures, we can greatly reduce the effectiveness of these attacks.
Remember, a password reused is an open door to attackers, so lock them out by never reusing passwords and staying vigilant about account security.