What is a credential stuffing attack?

Millions of accounts fall victim to credential stuffing attacks each year. This method has become so widespread that back in 2022, one authentication provider reported an average of one credential stuffing attempt for every two legitimate account logins. And it’s unlikely that the situation has improved over the past couple of years. In this post, we’ll discuss in detail how credential stuffing works, what data attackers use, and how you can protect your organization’s resources from such attacks.

How credential stuffing attacks work

Credential stuffing is one of the most effective ways to compromise user accounts. Attackers leverage vast databases of pre-obtained usernames and passwords for accounts registered on various platforms. They then try these credentials en masse on other online services, hoping that some will work.

This attack preys on the unfortunate habit that many people have of using the same password for multiple services – sometimes even relying on a single password for everything. As a result, attackers inevitably succeed in hijacking accounts with passwords that victims have used on other platforms.

Where do these databases come from? There are three main sources:

• Passwords stolen through mass phishing campaigns and phishing sites.
• Passwords intercepted by malware specifically designed to steal credentials – known as stealers.
• Passwords leaked through breaches of online services.

Data breaches provide cybercriminals with the most impressive number of passwords. The record holder is the 2013 Yahoo! breach that exposed a whopping 3 billion records.

It’s important to note that services typically don’t store passwords in plain text but use so-called hashes instead. After a successful breach, attackers need to crack these hashes. The simpler the password, the less time and resources it takes to crack it. Therefore, users with weak passwords are most at risk after a data breach.

However, if cybercriminals really need it, even the strongest password in the world is likely to be cracked eventually if its hash was exposed in a leak. So no matter how strong your password is, avoid using it across multiple services.

Not surprisingly, stolen password databases continue to grow and accumulate new data. This results in colossal archives containing entries far exceeding the population of the Earth. In January 2024, the largest password database known to date was discovered, containing a staggering 26 billion records.

Protecting against credential stuffing attacks

To shield your organization’s resources from credential stuffing attacks, we recommend implementing the following security measures:

• Educate your employees on cybersecurity best practices, emphasizing the dangers of password reuse.
• Develop and enforce a sensible password policy.
• Encourage the use of password managers to generate and store strong and unique character combinations. The application will also monitor for data breaches and recommend changing a password if it is already in a known database.
• Finally, mandate the use of two-factor authentication wherever possible. It’s the most effective way to protect against not only credential stuffing but also other account takeover attacks.

In addition, apply the principle of least privilege to mitigate the impact of successful credential stuffing attacks in advance and, of course, use reliable protection on all corporate devices.