arrow left facebook twitter linkedin medium menu play circle

Digital Fraud Wiki

Your source for the latest fraud intelligence, insights, research, and commentary.

Credential Stuffing

What is Credential Stuffing?

Credential stuffing attacks are a type of account takeover (ATO) attack in which fraudsters use stolen credentials to try and break into user accounts. In a credential stuffing attack, fraudsters leverage vast stores of leaked legitimate user credential data—typically exposed in data breaches—to begin firing pairs of names and passwords at other sites in hopes of getting a “hit”—an instance in which a combination works, and a hacker gets into an account. 

Credential stuffing attacks are on the rise. A recent report by Akamai noted that there were “nearly 30 billion credential stuffing attacks in 2018.” Fraudsters increasingly rely on bots to automate these attacks

There were several large-scale examples of credential stuffing attacks in 2019; one of the most high-profile incidents involved Disney’s rollout of their Disney+ streaming service. As reported by CPO magazine, the launch was disrupted by account access issues, and speculation was that a credential stuffing attack was to blame; this, in fact, proved to be the case, as “hackers had obtained access to some database of usernames and passwords from a previous hack pre-dating the launch of the new Disney offering, and then systematically attempted to find out if any of those username/password combos would work with the Disney+ streaming service.”

What Should Companies Know About Credential Stuffing?

Credential attacks are typically automated and executed at scale. Attackers employ massive botnets—connected networks of compromised machines—to execute their attacks. By scripting these “bots” to perform the brute force login attempts, attacks can be scaled out across millions of IP addresses, with each IP only generating a small number of events. DataVisor estimates that 50% to 80% of account takeover attacks on financial services are conducted via coordinated attacks like this, and this number can be up to 95% on social or gaming platforms.

There are existing strategies in place to try and address these kinds of attacks, but their efficacy is limited. Blocking individual IPs, for example, can sometimes initially slow attackers down, but modern digital fraudsters are capable of quickly pivoting to bypass static blacklists by using different botnets, or other proxies and anonymous routing services. 

Multi-factor authentication offers a strong defense, but it also brings with it high user friction and high deployment costs, and as such, is not a viable solution for the long term.

Advanced detection tools also offer hope against credential stuffing attacks, though detection itself has its own challenges when it comes to preventing credential stuffing attacks, because these attacks harness legitimate user accounts. Quality fraud management systems may be able to detect fake accounts, but it requires advanced technologies and solutions to effectively detect fraud when it appears in the form of real users.

How to Prevent Credential Stuffing Attacks

DataVisor’s Director of Research Ting-Fang Yen, writing about the coordination, automation, and scale of credential stuffing attacks, noted that “to prevent ATO of this type, an advanced fraud management solution is required; one that can review users and events holistically, and reveal the clandestine correlations and patterns that signify fraudulent attacks.”

Approaches that rely on individual account monitoring and analysis are typically incapable of detecting the advanced levels of coordination that define large-scale credential stuffing attacks. It is only through exposure of the connections that exist between hijacked accounts that a comprehensive picture can be derived, and it is only in this way that fraud defenses can neutralize incoming attacks before damage is caused.