Many companies featured on Money advertise with us. Opinions are our own, but compensation and
in-depth research may determine where and how companies appear. Learn more about how we make money.

Published: Sep 15, 2023 14 min read

Credential stuffing is an online attack method used by cybercriminals to gain access to user accounts using stolen or leaked credentials. The attacker creates a list of usernames and associated passwords obtained from previous data breaches and then uses automation to test the combinations against multiple online services. If successful, the attacker gains access to the accounts and any sensitive information linked to them.

With recent FBI warnings to U.S. businesses and an increasing amount of user data being leaked, credential stuffing has emerged as one of the most prevalent cyber threats.

Credential stuffing definition

Vast amounts of user credentials are leaked every year due to data breaches, insider threats and poor security practices. User credentials refers to the combination of a user’s login name or username and password, which are regularly used for authentication purposes in online platforms and applications. These user credentials may be sold on the dark web, privately shared or even made public for anyone to use.

According to a 2019 survey from Google, in partnership with The Harris Poll, 66% of Americans use the same password for more than one online account. Cybercriminals are well aware of this and use it to their advantage through credential stuffing. Once they obtain user credentials from a leak or breach, they then use automated tools to test these username and password combinations on multiple websites and services, with the expectation that at least one of the platforms they are trying to access will authenticate the login attempt.

Credential stuffing attacks are insidious because they target the weakest link in an organization's cybersecurity defense — its users. By exploiting users who reuse passwords, hackers can gain access to multiple accounts and services with relatively little effort. Furthermore, the automated nature of these attacks allows hackers to quickly test a large number of username and password combinations in order to have at least a few successful hits.

Credential stuffing attack examples

There have been several well-publicized credential stuffing attacks over the years. In 2017, Uber suffered a major data breach that exposed the personal information of 57 million users, including their names, phone numbers and email addresses. The attacker gained unauthorized access to the user account database through a credential stuffing attack on the popular online software development platform and repository GitHub. Previously exposed in a data breach on a different website, they were able to gain access to an Uber employee's GitHub account with a username and password combination that had been used on multiple websites.

The attacker demanded $100,000 from Uber in exchange for not releasing the stolen information. The company agreed to pay and then attempted to cover up the security breach, even grouping the payment with a "bug bounty" program to incentivize independent security researchers. Eventually, the incident was reported to the public and Uber agreed to pay $148 million in a settlement with US regulators.

This example shows how credential stuffing attacks aren't just dangerous for exposed users but also expose companies to major financial and reputational losses as well.

How credential stuffing affects its victims

Aside from the implications for companies mentioned above, credential stuffing attacks can also have a severe impact on individuals with exposed data. If an attacker is able to use the same username and password combination to successfully log into multiple accounts, they may be able to steal funds from bank accounts, make fraudulent purchases or even take over social media profiles. In the worst case scenario, attackers may even commit various crimes in the victim's name, implicating them in the process.

Credential stuffing vs password spraying

Credential stuffing attacks are often confused with password spraying, which is a similar type of attack. Both methods are a type of brute force attack that involve automated attempts to access accounts using known usernames. While credential stuffing involves known passwords, password spraying involves trying out common or weak passwords.

Although both of these types of attacks can lead to successful intrusions, credential stuffing is generally considered to be more dangerous because it relies on lists of already exposed username and password combinations. Examples of passwords often used in password spraying attacks include:

  • password
  • 12345
  • qwerty
  • abc123
  • 111111

These two types of online attacks are aimed at different security vulnerabilities in user behavior. Credential stuffing relies on the habit of people using the same username and password combination across multiple accounts and password spraying takes advantage of the fact that many people still use weak, easy-to-guess passwords.

How to prevent credential stuffing

There are several strategies you can use to protect against credential stuffing attacks. These include using strong passwords and multifactor authentication (MFA), ensuring your operating system and applications are up to date and learning to recognize common phishing techniques. Each of these credential stuffing protections targets different possible attack vectors, ensuring accounts maintain strong security in different areas.

The following section examines these credential stuffing defenses in more detail.

1. Use unique and strong passwords with multifactor authentication (MFA).

Multifactor authentication is one of the best ways to protect against credential stuffing attacks. It requires users to authenticate their login attempt with more than just a username and password. This could be in the form of a code sent to your phone, biometric authentication (e.g., fingerprint, face recognition), a memorized pin number or even an external hardware device such as a USB.

MFA makes it exponentially more difficult for attackers to access your accounts because now not only do they have to guess your password, but also access or bypass any additional security measures you have in place. Multifactor authentication most often takes the form of two-factor authentication.

2. Keep your operating system, apps and plugins updated.

You may have noticed apps, software and operating systems regularly prompting you to install an update. Aside from fixing bugs and providing new features, these updates often include security patches that help protect against the latest threats. Regularly updating your operating system and applications is one the most simple and straightforward ways to protect yourself from the latest credential stuffing attacks.

3. Learn how to recognize phishing scams.

Phishing is a type of cyberattack that involves fooling people into downloading malicious software or revealing sensitive information like passwords. Attackers often disguise these emails or messages as something innocent like account notifications, order confirmations or even tax returns. In some cases, it's as simple as clicking an email link while in other cases, the attacker may impersonate a genuine caller or emailer to build trust with their potential victim.

Knowing what phishing scams look like and how to detect them is an important part of protecting yourself against credential stuffing vulnerabilities. If you receive any suspicious emails, messages or calls, don't click on any links or provide any information until you have verified the identity of the other party. You may even want to contact the company or organization using the contact information on their website to verify the legitimacy of the communication.

How to detect credential stuffing

Even after implementing every possible preventative measure you can, it's still possible for credential stuffing attacks to slip through the cracks. Your information could be part of a data breach or stolen from an insecure website you visited. To stay safe, it's crucial to continuously monitor your accounts for signs of suspicious activity while also keeping an eye out for any new accounts that appear in your name.

The following are some of the best ways to keep on the lookout for credential stuffing attacks.

1. Regularly monitor your account activity.

Check all of your accounts regularly to ensure that you are the only one accessing them. Look out for any strange or unfamiliar activity, such as logins from different locations, purchases you didn't make or sent messages that don't seem like they're coming from you.

Luckily, many websites and apps have built-in security features that can help you detect suspicious activity. For example, most banks offer notifications whenever a new device logs in to your account or require additional authentication steps to verify your identity when a new device attempts to access your account.

If you do notice any suspicious or fraudulent activity, contact the company or organization immediately and take the appropriate steps to secure your account. You should also consider changing your password if you think that it has been compromised.

2. Monitor dark web marketplaces for any signs of your credentials.

Another way to detect credential stuffing is to monitor dark web marketplaces for any signs of your login credentials being sold. Cybercriminals often buy and sell stolen credentials and other personal information on the dark web.

While this can seem intimidating, it actually provides you with an opportunity to take action before a malicious actor is able to cause real damage. By monitoring dark web marketplaces, you can spot any signs of your credentials being sold and take appropriate action to secure your accounts before they are used maliciously.

3. Use threat intelligence services.

Instead of spending time and resources to monitor dark web marketplaces yourself, you can also use threat intelligence services for credential stuffing detection. These credential stuffing solutions quickly detect compromised credentials and alert you when there's any suspicious activity associated with your accounts.

There are many different types of threat intelligence services available, with some specializing in specific industries and others that cover a wider range of threats. Many of the best credit monitoring services offer threat intelligence as an added service, making it easier to spot the signs of credential stuffing or other malicious activity while also keeping an eye on your credit history. They may include an annual credential stuffing report or offer a more comprehensive suite of services that continuously monitor your accounts.

How to stop credential stuffing

There are a few steps you should take if your information is found on the dark web or if you have confirmed that your credentials have been stuffed. This includes changing your passwords, scanning your computer for malware and reporting any suspicious activity to the proper authorities. Not only will these steps help immediately block credential stuffing, but they will also help prevent stop attempts of credential stuffing on other accounts.

1. Immediately change compromised passwords.

If you confirm that your information is available on the dark web, make sure to change your passwords as soon as possible. This includes any accounts that may use the same or similar passwords, as they are likely to be compromised as well.

It's best to choose a strong password that is unique to each account and contains a mix of numbers, symbols and uppercase/lowercase letters. The National Institute of Standards and Technology (NIST), a federal agency that develops and promotes standards for computer technology, suggests that passwords be between 8 and 64 characters long and provide "Pattern2baseball#4mYmiemale!" as an example of a strong password.

2. Check your devices for malware.

If you have confirmed that credential stuffing has occurred to you, it’s important to check all of your devices for malware. Malware can be downloaded without your knowledge and is sometimes used to access your accounts or steal information. Use a reputable malware scanner like Malwarebytes to check all of your devices for malicious software.

If you want to be extra cautious, you can do a clean installation of your device’s operating system to make sure that everything is completely safe.

3. Report malicious or suspicious activity to the relevant authorities.

Any malicious or suspicious activity that you come across should be reported to the relevant authorities. This includes any attempts to access your accounts, data breaches or suspicious emails. Relevant authorities could include your bank and credit card company or law enforcement. This will help to prevent further damage and ensure the perpetrators are held accountable.

Summary of Money's What Is Credential Stuffing?

Brute force credential stuffing is a type of cyber attack in which malicious actors use automated credential stuffing tools to try gaining access to accounts using stolen usernames, email addresses and passwords. To protect yourself online, you should use strong and unique passwords for each account, enable multifactor authentication, regularly check for suspicious activity and ensure that your operating systems and software are up-to-date. You might also want to consider using the services of an identity theft protection service in the future.

It's also important to be aware of common phishing techniques and pay attention to any recent data breaches that may have exposed your information. By following these steps, you can rest easy knowing your credentials are as secure as possible.