How to Prevent Credential Stuffing

Credential stuffing has evolved into a prevalent tactic when hackers weaponize leaked users’ data. Initially, such digital attacks targeted government websites. However, they managed to become universal, focusing on regular netizens as well. Recurring data breaches are massive, and they serve as the main component of credential stuffing attacks. To mitigate them, you need to know how hackers can abuse the data exposed during a data breach.

What is credential stuffing?

Credential stuffing is a technique used to gain fraudulent access to users’ accounts. The scale and the impact of the attack can range from mediocre to high, depending on the targeted accounts. It might be that hackers can scoop out enough information to commit identity theft. In other cases, credential stuffing can be the reason an unknown actor has wiped your bank account clean. If you repeatedly use a preferred email address, hackers can use the leaked combination on all associated accounts.

Sumit Agarwal introduced the term credential stuffing after discovering hackers’ attempts to break into publicly facing military websites. These attacks differed from the standard ones that used password generators to guess the correct passwords. Instead, crooks exploited the credentials extorted from one site to break into other, unrelated ones. Therefore, this form of attack deviates from the traditional brute force attacks. However, due to the compelling resemblance between them, credential stuffing is a subset of brute force attacks.

Credential stuffing in action: how does it work?

Not surprisingly, hackers do not perform credential stuffing manually. Automated scripts do all the dirty work. Once the crooks automate the process of testing leaked credentials, they can swiftly check which accounts feature the same email/password pair. Hackers can then easily access them, steal data, hold it for ransom, and purchase expensive items from online stores. Basically, if your hacked account contains something of value, crooks will not hesitate to use it.

The credential stuffing technique has become mainstream due to its simplicity, rapid transfer to online-only services, and of course, frequent data breaches. The latter provides hackers with the attack-ready sets of credentials. Hence, they can immediately start attempting to access accounts associated with the leaked usernames/email addresses. Additionally, the dark web features massive collections of credentials. As a result, hackers do not need to scrape each leak individually. They can retrieve large databases, consisting with millions or billions of credentials from previously disclosed or new data breaches.

Tips on password hygiene: effective mitigation for credential stuffing

Until credential stuffing affects you directly, you might be reluctant to follow the recommendations for password security. However, this might come at your expense. You can avoid the devastating financial losses, account takeovers, and emotional distress by following these simple rules:

  • Do not reuse passwords. At this stage of digital advancement, there is no excuse for applying the same password on multiple occasions. The fact that people still reuse passwords is the reason why credential stuffing continues to boom.
  • Make use of password managers. If you are afraid of forgetting passwords, download or use web-based managers. They will securely hold all of your credentials, and will even help you create strong and unique combinations.
  • Deploy two-factor authentication (2FA). You should always use 2FA on all your accounts. It adds a layer of security, reassuring that users will only access accounts after presenting an extra piece of information. For instance, a service might prompt you to type in the code sent to your phone or email. Let’s say hackers break into your account due to credential stuffing. Unluckily for them, they won’t be able to log into your account without the external confirmation.
  • Replace leaked credentials as soon as possible. Usually, companies inform their user communities about data breaches via email or another form of communication. Be sure to react quickly to such notifications and change the password of the breached account. If you reused that password on other websites, you need to change them to mitigate credential stuffing.
  • Do not willingly give away your credentials. Social engineering and phishing scams have become more convincing over the years. Cybercriminals might present compelling evidence to convince you that they belong to a reputable entity. However, companies and organizations will never require your credentials via email. You can also find contact details to double-check if that email you got is not fraudulent.
  • Use a VPN. Public Wi-Fi spots can also be a reason your credentials end up in hackers’ hands. If you need to connect to one, make sure a VPN is there to encapsulate and encrypt all of your data and traffic.


Anton P.

Anton P.


Tags: credential stuffing