What is Credential Stuffing: A Simple Overview (2021)


Credential stuffing is a cyber-attack technique used by attackers to hack a device using lists of compromised user credentials. The assault uses bots for automation and size and is based on the idea that many users over several services reuse usernames and passwords. The attacker’s aim is to obtain unauthorized access to as many user accounts as possible and then conduct other attacks or malicious operations. This may require takeovers of accounts. A type of identity theft in which a fraudster uses a legitimate user’s stolen or false credentials to take over one or more accounts, notably banking, credit card, or e-commerce.

(ATOs) that allow attackers to drain money from bank accounts, make major transactions, or steal identities to build new, fraudulent accounts. At worse, a hacker aims to expand user rights and gain a foothold in the network of an enterprise to carry out more extreme attacks. Using freely available attack techniques, cybercriminals can pump hundreds of thousands or even millions of stolen credentials into the login pages of one or more websites at a time.

  1. Credential stuffing vs brute force attacks
  2. How Credential Stuffing Attacks Work
  3. Credential Stuffing Prevention

1. Credential stuffing vs brute force attacks

Attacks by brute force on the login form consist of the attacker having a given list of possible passwords (called a dictionary). For each login that the attacker attempts to brute force, the attacker will then attempt each of these specified passwords. Another assault on the login method is Credential Stuffing, although it differs from a brute force attack in that the list used includes both a username and a password. This collection is also collected at another company via a data leak. The goal is to detect accounts that are re-used in several locations.

2. How Credential Stuffing Attacks Work

Here is a common procedure that is pursued in a large-scale password stuffing attack by an attacker. 

  • The assailant Sets up a bot that can automatically log in parallel to several user accounts while falsifying various IP addresses.
  • To verify if stolen passwords operate on several websites, it runs an automated process. Reducing the need to repeatedly log in to a single service by running the operation in parallel across several sites.
  • Monitors for active logins and obtains from the compromised accounts personally-identifying information, credit cards, or other useful data.
  • Retains account data for potential use, such as phishing attempts or other service-enabled transactions.

3. Credential Stuffing Prevention

You should protect your website from password stuffing attacks with the following measures:

  • Multi-Factor Authentication (MFA): Attacker bots, including a cell phone or access key, would not be able to provide a physical authentication form. In certain instances, an entire user base can’t require multi-factor authentication. If so, it can be paired with other methods, such as MFA, and can only be applied in conjunction with fingerprinting systems.
  • Fingerprinting of devices: You can use JavaScript to capture user system information and generate a “fingerprint” for each incoming session. The fingerprint is a mix of factors such as the operating system, etc. It is likely to be a brute force or password stuffing attack if the same combination of parameters is logged in several times in sequence.
  • IP Blacklisting: Attackers will usually have a small pool of IP addresses, so blocking or sandboxing IPs that try to log into several accounts is another successful defence. To minimize false positives, you should track the last few IPs that have been used to log into a particular account and equate them to the alleged bad IP.
  • Rate-Limit Non-Residential Traffic Sources: Traffic coming from Amazon Web Servers or other commercial data centres can be quickly detected. Almost definitely, this traffic is bot traffic and can be managed even more closely than normal user traffic. Apply stringent rate limits and questionable activity to block or prohibit IPs.
  • Block Headless Browsers: The JavaScript calls they use will quickly distinguish headless browsers like PhantomJS. Block connections to headless browsers because they are not legal users, and questionable behaviour is almost definitely suggested.
  • Disallow email addresses as user IDs: Password stuffing is based on the reuse of the same user names or account IDs across platforms. This is far more likely to happen if the ID is an email address. You significantly decrease the likelihood of them reusing the same user/password pair on another site by preventing users from using their email address as an account ID.


It’s no wonder that all but the most advanced attackers are searching for the quickest path to success and will take advantage of it. As long as major data breaches continue to expose accounts and consumers continue to reuse multi-account passwords, credential stuffing attacks can continue to continue unabated. The worldwide pandemic has only escalated the problem. Expect to see more certificate stuffing assaults on government websites, postal systems, internet stores, and grocers, and telemedicine companies, to name a few, with record numbers of people working and learning from home as well as shopping online.

So, have you made up your mind to make a career in Cyber Security? Visit our Master Certificate in Cyber Security (Red Team) for further help. It is the first program in offensive technologies in India and allows learners to practice in a real-time simulated ecosystem, that will give them an edge in this competitive world.

Also Read


Related Articles

Please wait while your application is being created.
Request Callback