Credential stuffing is where attackers use a batch of compromised user credentials to break into a system. The credentials they use have already been obtained in a data breach on a different service and are now being used to access the target system.
This article offers a thorough look at credential stuffing and how it works, along with preventative measures and cybersecurity solutions that can keep it from affecting your organization.
Credential stuffing attacks are usually scaled and automated using bots. Since many users recycle login credentials or use them across multiple services, these bots can be used to quickly “stuff” systems with those credentials until they find one that works.
For example, say an attacker obtains user credentials exposed during a data breach of an online retailer. Then, using bots to scale the attack, they use that same list of credentials to repeatedly attempt to log into a banking website. If any users whose credentials are on the list have used the same credentials on that banking site, they may become victims of account takeover.
An attacker doesn’t even need to breach an online retailer themselves in order to obtain a list of credentials. There are plenty of breached credential lists available for purchase on the dark web, and each list may contain millions of sets of credentials. Based on the success rates of credential stuffing, for every million sets of credentials, an attacker could successfully breach 1,000 accounts. This makes credential stuffing well worth the attacker’s time.
Combine those factors with advanced bot technology and careless users who continue to reuse credentials, and you have a rewarding attack vector for cybercriminals.
It’s also worth noting that when a company is targeted by a credential stuffing attack, an attacker gaining access to individual accounts doesn’t necessarily mean that the organization’s security is compromised. However, companies managing user accounts that are part of a successful credential stuffing attack may have actions to take to prevent fraud, misuse, or direct losses.
Understanding the process is key to mitigating your risk of credential stuffing. To set up and execute a credential stuffing attack, cybercriminals follow some basic steps.
The attacker creates a bot that is capable of making automated, parallel login attempts from multiple IP addresses.
The attacker procures a list of stolen credentials, and then through an automated process, runs those credentials in parallel through the target websites.
During this process, the attacker watches for successful logins. With each one, he or she may steal personal information like account or credit card numbers, locations, or other private data.
Now the cybercriminal has valuable information they can use for fraudulent transactions, phishing schemes, and other crimes.
You might be wondering what the difference is between credential stuffing and a brute force attack. According to OSASP, credential stuffing is actually a subset of brute force attacks. However, there are some critical differences between the two:
Credential stuffing uses known, exposed credentials. Conversely, brute force attacks try to guess passwords without clues or context using random characters, common password suggestions, or common phrases.
Passwords that are simple and guessable are the most vulnerable to brute force attacks. In credential stuffing, password complexity doesn’t matter.
Users can defend themselves against brute force attacks by using strong and unique passwords, but if their data is exposed and used for credential stuffing, it won’t matter how good those passwords are. (For better protection, enterprises should enforce multi-factor authentication where possible).
Because of these differences, credential stuffing is much more likely to succeed than a brute force attack.
Credential stuffing attacks are growing and not going away anytime soon. This makes understanding these attacks and how to prevent them increasingly critical.
According to data collected by F5, the number of credential spill incidents per year nearly doubled between 2026 and 2020. Although there is growing concern and consensus regarding the best practices surrounding credentials and password storage, behaviors around the industry haven’t caught up to that consensus. For example, passwords being stored in plaintext is the number one contributor to credential spilling by far.
For everyday users, preventing credential stuffing isn’t complicated. Using unique passwords for each service used will keep credential stuffing from being effective (password managers can make this even easier). Private users can strengthen their login credentials further by enabling two-factor authentication when available.
For businesses and other organizations, credential stuffing prevention is more of a challenge, especially for those who employ authentication services. While an organization can ask its users to use unique passwords, they can’t really enforce it.
Fortunately, there are several ways for organizations to guard against credential stuffing attacks.
CAPTCHA is a fraud prevention method for requiring users to prove they’re a human being before allowing them to log in. This typically includes reading a set of obscured characters and typing them into a box, or being asked to identify and select photos of certain items out of several different images.
The drawback to CAPTCHA is that attackers can use headless browsers to bypass it. It cannot be applied to every scenario, and it’s best to combine CAPTCHA with other fraud prevention measures. PingOne Protect, for example, provides a comprehensive fraud prevention solution.
MFA is very effective against credential stuffing. It requires each user to authenticate their identity with both something they know and something they have. For example, along with a password, passphrase, or PIN (personal identification number), logging in under MFA will also require the user to have physical access to their mobile phone, tablet, or access token. In the case of a mobile device, a code can be sent to the device which the user will be required to enter before getting access.
Requiring MFA for every user or every action may not be feasible in all situations, but it can be used in conjunction with other authentication methods such as device fingerprinting.
Device fingerprinting doesn’t mean the user has to use an actual fingerprint to log in. Using JavaScript, device fingerprinting captures a range of data points about user devices, such as:
Operating system
Browser
Language
Time zone
User-agent
IP address
HTTP request headers
Battery information
Screen resolution
VPN information
Flash data
This information is used to compile an identifying “fingerprint” for each incoming user session. If the same data points are used for several sequential login attempts, device fingerprinting identifies this as a credential stuffing or brute force attack.
Using device fingerprinting based on several unique data points (such as IP address, flash data, HTTP request headers, and VPN), businesses can respond to potential attacks with extreme measures such as banning IP addresses.
However, more attack attempts may be captured by fingerprinting with a combination of two or three of the more common data points (such as time zone, language, and browser), and then responding to them with more moderate measures such as temporary IP banning.
Fortunately, cybercriminals usually have access to a relatively small pool of IP addresses. An IP deny list contains IP addresses or ranges of IP addresses you’d like to deny. You can also designate an allow list (also called a whitelist) of IP addresses to allow. This principle of denying and allowing specific IPs helps to keep malicious IPs from accessing your network.
By monitoring IP addresses that try to log into more than one account, your organization can block or contain them. Those IPs can then be compared to suspicious IPs from externally referenced lists to vet them before access is allowed.
While this technique can be useful against some credential stuffing attacks, it isn’t practical against true dynamic bot attacks because of the changing IP addresses used.
Headless browsers (PhantomJS or headless Chrome/Firefox, for example) are frequently used by bad bots. Fortunately, these are easy to identify via their JavaScript calls. Blocking all headless browsers is an option to help prevent credential stuffing attacks.
However, blocking all headless browsers will also keep good bots from working in your favor. Good bots include search engine crawlers from Google or Bing. Bots can also be used to monitor the status of your site for outages, operate automated chats (chatbots), or crawl your ecommerce site to recommend great deals to users.
The key to recognizing good bots is knowing the source. Good bots are typically are used by reputable companies (e.g. Google). In most cases, helpful bots will make themselves identifiable and will conform to the rules and policies you’ve set forth on your website.
Traffic that originates from commercial data centers (such as Amazon Web Services) is almost always bot traffic. This traffic should be treated with much more skepticism than traffic from individual users. Fortunately, such traffic is easy to identify, and stern rate limits can be used to block or ban IPs that fall into this category.
Reusing credentials across multiple services makes users more vulnerable to credential stuffing. Reuse of credentials becomes much more likely when people use their email address as an account ID.
If your service disallows this practice, you can drastically reduce the chances of users reusing the same combination of credentials on another website.
Businesses need their customers to trust them, and preventing attacks like credential stuffing is one way to avoid breaking that trust. While credential stuffing is a major threat, it makes the most sense to employ an overall fraud detection solution to:
Differentiate between the interactions of legitimate and fraudulent users
Continuously analyze hundreds of data points in physical interactions of users and devices to recognize user patterns’
Identify devices which may have been tampered with or spoofed to raise red flags
Detect methods of IP masking such as unknown VPNs or proxies
Ping Identity’s Online Fraud Detection is designed to do all of this and more, without undermining the user experience with undue friction. It is possible to keep customers happy while proactively thwarting fraudsters in real time. To learn more, download our Fraud Detection White Paper.
Start Today
See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.
Request a FREE Demo