What is Credential Stuffing?

Credential Stuffing is a form of cyberattack where stolen login credentials like usernames and passwords are fired to numerous websites like social media sites, online banking portals, online shopping sites, or any website that requires a username and password. The idea is to find any website to which the stolen credential will work to gain access to user accounts.

Credential stuffing is one of the methods used to attack Dunkin’ Donuts’ website which led them to pay around $600,000 in fines. Credential stuffing is categorized as a form of brute force attack where a target website is bombarded with usernames and passwords pairs to find a match. Though the success rate is way less than 1% (only around 0.1-0.2% success rate), cybersecurity experts consider it as a serious threat because we are talking about at least a hundred thousand to even millions of stolen credentials “stuffed” into countless websites. So, if they have 100,000 stolen credentials and 100 target websites, with a 0.2% success rate, it would mean that they will have 200 successful logins per website.

How is it done?

This kind of attack is becoming popular to cyberattackers because they find it pretty effective. But if we are talking about hundreds of thousands of credentials and websites, how are they inputting all those credentials? Won’t it be pretty impractical for them? Well, they create programs or bots that allow them to fire thousands of login pairs to hundreds of websites in a matter of minutes. The bots will then give a report detailing matches for every login pair.

Where do the stolen credentials come from?

Attackers acquire the stolen credentials from various sources. Many would buy them on the dark web. Credentials may also come from phishing attacks, spyware, database breach, and etc.

So, what can we do to stop it?

Well, first and foremost, protect your username and password. As much as possible, use different usernames and passwords for every account you use. Or, you can use a password manager which will give you a random password for each of your accounts. All you need to remember is a master password to access the password manager.

Second, anti-bot measures are used by some websites and companies. Are you familiar with CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart)? You may find these annoying box-clicking things whenever you log in to your online shopping account or social media site. But these are actually effective countermeasures against bots that run credential stuffing attacks. Since bots can’t logically answer captcha questions, they won’t be able to attempt a login to that site.

Also, websites implement security features where they measure traffic coming from specific IP addresses. For example, after 3 failed login attempts to their site, they will temporarily block that IP address from accessing the site for a certain amount of time. Also, they will measure the interval between attempts. If it looks suspicious, the system can automatically filter and block the source.

Oh, so I have nothing to worry about?

I wish I could say yes but even though we have countermeasures in place, keep in mind that attacks are evolving. Bots are also evolving. With artificial intelligence around the corner, credential stuffing bots can be smart enough to bypass these countermeasures. That’s why we need experts who also work hard to improve these countermeasures.