87 million credential stuffing attacks target US daily

According to Atlas VPN investigation, hackers carry out 87 million credential stuffing attacks on US citizens daily.

Credential stuffing is a cyber-attack where fraudsters use large numbers of stolen credentials to log into individuals’ or companies’ accounts. This cyber-attack type is on the rise due to the high number of data breaches in the past years.

Such attacks can cause substantial monetary losses. For individuals, the biggest monetary damages occur when hackers access accounts containing a lot of personal information, which can lead to identity theft.

The easiest way for fraudsters to steal money is to obtain access to an account which contains credit card or other payment details from services such as PayPal, eBay, and Amazon.

To gain insight into the number of credential stuffing attacks and the most attacked countries, we have analyzed 24 months (from December 1, 2017, to November 30, 2019) of credential stuffing attacks.

Looking at the data, it is apparent that the US is by far the largest victim of credential stuffing attacks globally. In the US, the number of attacks averages over 87 million attacks per day or 3.6 million attacks per hour.

In part, this is due to a large number of leaked records in the United States.

Combining the number of credential stuffing attacks of the other nine countries accounts for 16.9 billion attacks. Meaning, these countries combined received only 26.4% of attacks that the US did in the same time frame.

Research shows that out of all possible cyberattacks, such as phishing, malware, DDoS, man-in-the-middle-attacks, and others, credential stuffing accounts for 44% of attacks on financial services. The reason being, hacking a financial institution or service would result in huge monetary gains for fraudsters.

Data breaches are a direct prerequisite for credential stuffing attacks. One of the most significant breaches in the past few years is the Marriot Hotels breach that happened in November of 2018. This leak exposed 383 million records, containing Marriot’s customers’ credit card details and some passport information.

Another important mention is the Twitter data leak in May 2018, where due to an inside error, passwords were stored in plain text. The accident exposed over 330 million files, which was a treat for hackers since the data exposed contained actual passwords.

Users can check if data breaches have compromised any of their accounts on haveibeenpwned website. This website is run by Mark Hunt, a Microsoft employee, and a cybersecurity expert.

Individuals that wish to protect themselves from such hacker attacks should set up two-factor authentication whenever possible. When hackers discuss credential stuffing attacks on the dark web, they often complain that 2-factor authentication is the biggest roadblock to a successful cyber-attack.

Credential stuffing economy

Looking at the prices of stolen accounts, it appears that hackers are practically giving them away. However, these accounts are sold in thousands, which adds up to substantial profits for fraudsters.

The cost of the stolen credentials also depends on the number of details the hacker sells together with the account. If the hacker sells a PayPal account together with information about the PayPal balance and limits on the account, then the price can go up to $200.

However, most vendors on the dark web supply the login credentials to the account without any guarantees of the current balance, withdrawal limitations, or information on security measures set up by the owner.

Together with the credentials, scammers that wish to abuse stolen data will have to order checker software. This software attempts to log in to a website using details obtained from data breaches. If the combination is correct, then the software will mark it as valid

Advanced checkers even collect the exact information that is available in the account, such as credit card details and account balances. Checkers cost around $150.

Also, to overcome rate-limiting, hackers will have to use proxies. Rate limiting is a cyber-security measure which blocks a large number of login attempts from a single IP address. Proxy service allows hackers to change their IP addresses, which overcomes this restriction. Proxy services cost around $250/week.


John C.

John C.


Tags: cyberattack credential-stuffing