What is credential stuffing?

The systematic misuse of login data through credential stuffing is one of the most frequently used attack tools of cybercriminals on the internet. The trade in stolen information, in particular, represents a lucrative source of income for attackers.

Sequence of an attack using credential stuffing


A definition of credential stuffing

With credential stuffing, attackers exploit the complacency of users on the internet. Even now, many users use the same password for many or all services on the net. Once these credentials are known, it is easy for online scammers to systematically exploit lucrative web services for their own purposes. For example, if attackers have the credentials for your email service, they start making automated requests using the same user names and passwords for web shops, online banks, and even company accounts.

Address lists or “combos” with millions of credentials are traded at bargain prices on professional marketplaces on the internet and the darknet. For the most part, the information from the combos originates from data leaks or hacker attacks. Once equipped with the necessary data ammunition, automated attack tools (bots) torpedo the targeted services. Millions of user/password combinations can be tested within a matter of hours. Confirmed credentials for active accounts are sold by cybercriminals to the highest bidder on the darknet, or the information is used for more extensive attacks.

Code on a screen


How does credential stuffing work?

For credential stuffing, cybercriminals usually rely on bots. These automated programs enable lists of passwords to be processed quickly and stealthily. If, for example, a human attacker were to try out different user/password combinations within a short window of time, this would attract attention. Since all login attempts would come from the same IP address, it would be easy for a system administrator to detect this and take countermeasures. This is different in a bot attack: For one, an automated program can perform these types of actions at an incredible speed and test millions of credentials in a very short time. For another, bots conceal their activities through a collective approach: The first bot tries out the first combination of user/password, the next bot uses the second combination, and so on.

What are the consequences of credential stuffing?

An attack via credential stuffing always harms the affected companies and institutions. Victim organizations still suffer from the consequences even years later. It is, therefore, extremely important to have effective protection.

Economic losses

Online retailers incur additional costs when customers discover that their credentials have been misused. For example, increased refunds result in a heavy economic burden.

Image loss

If user data is misused or stolen on your end, this will negatively affect the relationship with your customers. Regaining trust could take years and require enormous investments.

Data manipulation

If attackers gain access to your users’ data, they will be able to change and manipulate it at will. The longer such data misuse remains undiscovered, the greater the damage can become.

Password lettering


Which industries are affected by credential stuffing?

Essentially, all companies and web services with a login option are affected. However, websites with a high volume of transactions are especially attractive. Especially for banks, payment service providers, but also the travel industry, attacks using credential stuffing can cause considerable economic losses.


How can companies protect themselves from credential stuffing?

It is extremely challenging for the affected companies to defend themselves against credential stuffing. A balancing act of security and usability is called for here. Complex password security requirements and downstream human interaction verification mechanisms such as captchas increase the security of websites. However, if they are configured too aggressively, they can cause user frustration.

Also, captchas do not pose an insurmountable hurdle for attackers. Specialized service providers have long since established themselves on the internet, working with an army of low-paid workers to solve captcha challenges at ridiculously low prices, and API connections to these questionable services are also available. In this context, a simple extension of existing attack tools is all that is needed to circumvent captchas.

Another and much more effective method of fighting against bots is the systematic control of automated requests. Malicious bots are clearly identified and blocked using special software. At the same time, harmless requests, from search engines, for example, are still tolerated. Since about half of all current website traffic consists of bot requests, the management of these data streams has enormous potential.

Myra protects your web services from credential stuffing

With Application Security and its integrated Deep Bot Management, Myra Security offers an upstream protection instance that protects web applications from credential stuffing. High-performance Myra technology monitors, analyzes, and filters malicious internet traffic before virtual attacks cause any real damage.

About Myra Application Security