What is a Credential Stuffing Attack?

Nowadays, there is an emergence of more sophisticated cybersecurity issues targeting various users and platforms. With Artificial Intelligence and machine learning, the attacks are no longer just the execution of instructions by a human being. Malicious intelligent agents have been developed and used to automate the attacks while remaining virtually undetectable. They mimic and imitate a real user on the other end. Bots or Internet bots are such agents. They can perform thousands of instructions per second in stealth mode while constantly adapting to the environment. These intelligent agents are the source of attacks nowadays, from DDoS, Credential Stuffing, to brute force attacks. In this article, we shall consider the Credential Stuffing attack.

What is a Credential Stuffing attack?

Credential Stuffing attack is the technique in which a cybercriminal uses automated injections of username and password combinations obtained using various means like phishing to validate them or breach into a system. This usually leads to account takeovers. After a fraudster gains access, they behave as legitimate users, and detecting them becomes almost impossible. Banking/ financial, e-commerce, hospitals and gaming websites are amongst the lucrative targets. By gaining access, attackers gain unauthorized access to personal and corporate data to exploit in different ways. But you may wonder, where do the said credentials come from?

Sources of the credentials


Attackers can send spoofed messages whose design is to trick a person into revealing their sensitive information. This is referred to as phishing. It can be through emails, voice calls, SMS, or hijacking of pages. In email phishing, forms can be cloned and sent to unsuspecting victims with redirects to the original state. When a user enters their information, it is sent to the attackers’ server first, and then the victim is redirected to the actual website.

Data breaches

Every year, millions of credentials are dumped into the dark web and IRC forums. The credentials come from corporate data breaches in institutions like banks and health institutions. Because many people repeatedly use the same username combinations and passwords, when tried against banking and other essential services websites, the attacker gains access.

Other methods that the attacker may use to harvest credentials are DNS poisoning, MITM attacks, social engineering, and password dumping tools like Mimikatz.

How are Credential stuffing attacks carried out?

After the credential harvesting, several gigabytes of credentials are released into the darknet, IRC forums, Social media like telegram channels, and sites like Pastebin (against their policy). If an institution does not store the data correctly, a data breach can result in all the user credentials and data being exposed.

The data is compiled into a list that is fed into a bot. The bot then crawls into the target and recursively tests which credentials are valid. For instance, credentials obtained from a health website can be used for logging into a banking institution’s website. The valid credentials are then used to gain access to the target. It gives them access to personal and confidential corporate information.

What does a cybercriminal do with the obtained information?

E-Commerce fraud

After a hacker gains access to a merchant site, they can order high-value items for reselling or personal use. This is a lucrative form of identity theft for cybercriminals. Therefore, retail is the most vulnerable area for credential stuffing.

Corporate espionage

This is the most devastating form of attack on businesses. By hijacking an admin or employee account, an attacker can gain access to proprietary data, social security numbers, credit card information, to name a few. Competitors can buy proprietary information from the attackers and introduce the product before the inventors. It can deal a big blow to a business.

Selling the compromised accounts

This is common in gaming, media, and streaming websites. Various sites that include Spotify, Netflix, Grammarly, and Chegg have been victims. The attacker sells access to the compromised account at a price lower than the subscription cost.

Other ways include Ransomware, blackmailing the companies for cash or other favors, and whistleblowing.

Preventing credential Stuffing attacks

Using multi-factor authentication (MFA)

In addition to the username and password, multi-factor authentication requires that the user logs in using another form of authentication. They can additionally use biometrics such as face recognition, fingerprints, or palmprints. One-time Passwords (OTP) is the most common instance of MFA, whereby a one-time code with an expiry time is sent to a device associated with the user. This is an effective way to prevent credential stuffing because a cybercriminal cannot access the device or fingerprint.

Using continuous authentication

In this method, a user’s identity is verified in real-time. Behavioral patterns, biometrics by a continuous authentication system are used instead of a password. It makes credential stuffing attacks and some other cyberattacks unviable for gaining unauthorized access by cybercriminals.


This method transforms plain text passwords and usernames into random-looking or humbled texts called hashes with the help of hash functions or algorithms. Tools like Hashcat can be used to crack the hashes.

While the hashes can be cracked in practice, having a solid hashing function can give you time to reset your credentials after a data breach before the attacker gains access. Rick Redman, a renowned penetration tester, explains that if you use an algorithm like bcrypt, you have more time than the one using SHA1 to change your passwords.

Authentication without password

By verifying or authenticating a user with something they have, this method effectively prevents credential stuffing attacks. The “something” may be a device, another account related to the user, or biometrics. It saves users time and money invested in password storage systems and resetting.

Breached password detection

This technique protects a user from credential stuffing attacks by detecting and comparing user credentials against a database of compromised ones. Therefore, this saves a user from credential stuffing in real-time. An example of such databases for breached passwords is have I been pwned. Breached password protection systems could ask for additional authentication factors or block a user’s login if their credentials were part of a security breach.

Investing in a bot protection solution

Bots are the primary agents used in credential stuffing attacks. Therefore, it is prudent to invest in a reputable bot protection solution like DataDome. DataDome provides a multilayered approach to bot protection. By utilizing current technologies like machine learning and neural networks, we can easily detect and eliminate malicious bots from your website. Such a tool crafts intelligent mechanisms like rate limiting and IP reputation databases to detect malicious bot activities and crafts an immediate response to the incidence. By providing real-time authentication, there can be no access to your credentials and data by the cybercriminals.


Though the success rate of credential stuffing attacks is low, their effect is stealthy and fatal if they succeed. When proprietary information belonging to the Company gets exposed, it invites competition. Since the rival Company did not invest in research, they can sell at a lower price over the patent-holding Company. It has the potential of bankrupting the patent-holding Company. Investing in a proper mechanism for preventing credential stuffing attacks is hence necessary. Bot protection mechanisms can effectively prevent malicious bots’ intents, ensuring the safety and privacy of your Company’s data.


This article is a guest post that HackingVision was paid for posting. Any linked sites are not under the control of the authors or Hackingvision.com, thus its authors are not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites.