Credential Stuffing Attacks: What is it and how to prevent it?

Credential stuffing attacks exploit stolen usernames and passwords from data breaches to gain unauthorized access to accounts. This growing threat affects businesses across various industries, from e-commerce and social media to financial services.

As more users continue to reuse passwords across different platforms, attackers find it easier to exploit this vulnerability. By automating login attempts with bots, hackers can test millions of credentials in a short period, leading to account takeovers, fraud, and reputational damage.

But what exactly is credential stuffing, and how do these attacks differ from other cyber threats? Most importantly, how can businesses detect and prevent them? Let’s dive into the details of credential stuffing and explore how you can safeguard your platform.

What is a credential stuffing attack? 

Credential stuffing is a type of cyber attack where hackers use stolen usernames and passwords from previous data breaches to gain unauthorized access to user accounts across various platforms. Attackers exploit the fact that many users reuse the same passwords across different websites and apps, making it easier for them to breach multiple accounts with the same credentials.

According to the 2023 Identity Threat Report by F5 Labs, credential stuffing accounted for an average of 19.4% of unmitigated traffic across organizations in various sectors. Even after mitigation efforts, 6.0% of traffic was still composed of credential stuffing attempts. 

According to Kaspersky, one authentication provider reported an average of one credential stuffing attempt for every two legitimate logins in 2022, highlighting how widespread this method has become. This ongoing trend underscores the persistent risk to businesses, particularly in industries like travel, telecommunications, and technology, which experience higher attack rates than other sectors.

But to understand how to protect against credential stuffing, it’s crucial to first understand how these attacks operate and the techniques attackers use.

How do credential stuffing attacks work?

Credential stuffing attacks exploit password reuse by using automated tools, often called bots, to test large lists of stolen credentials on various websites. When they find a match, hackers gain unauthorized access to the user’s account. This automated approach allows them to test millions of credential pairs in a short period.

Difference from brute force attacks:

• Brute force attacks: attempt to guess passwords by trying random combinations of characters until the correct password is found,

• Credential stuffing: utilizes real credentials from data breaches, making the process faster and more efficient, 

Common techniques used in credential stuffing:

1. Botnets: attackers use networks of compromised computers (botnets) to distribute login attempts across multiple IP addresses, making it harder to detect and block the attack,

2. Proxy networks: proxies are employed to obscure the origin of the login attempts, allowing attackers to bypass security measures,

3. Credential dumps: lists of stolen credentials from past data breaches are sold or shared on the dark web, giving attackers ready access to usernames and passwords.

What are some notable recent credential stuffing attacks?

Credential stuffing remains a serious threat to businesses across many sectors, with attackers successfully breaching accounts by exploiting stolen login credentials. In recent years, several high-profile companies have fallen victim to these types of attacks, illustrating the widespread and ongoing nature of the problem. Let’s explore three recent examples:

1. PayPal (2022)

In December 2022, PayPal was targeted in a credential stuffing attack that compromised nearly 35,000 accounts. The attackers used credentials obtained from breaches on unrelated websites to gain unauthorized access to PayPal accounts. 

While PayPal confirmed that there was no evidence of customer data misuse, they offered affected users a two-year subscription to Equifax’s identity monitoring service as a precaution. This incident underscores the importance of enabling two-factor authentication (2FA), which adds an extra layer of protection against credential stuffing.

2. 23andMe (2023)

In late 2023, the genetic testing company 23andMe revealed that a credential stuffing attack had resulted in the theft of personal information from millions of its users. The stolen data included names, profile photos, gender, dates of birth, and even genetic ancestry results. 

According to 23andMe, the attackers likely obtained the login credentials from other platforms where users had reused their passwords. This case highlights the dangers of reusing login credentials across multiple services, making it easier for attackers to breach accounts.

3. Zoom (2020)

In 2020, Zoom experienced a significant credential stuffing attack, compromising over 500,000 user accounts. The attackers used credentials from breaches dating as far back as 2013, many of which were likely sold on the dark web. 

Due to the widespread practice of password reuse, attackers successfully accessed these accounts using a "credential checker" tool. This attack serves as a stark reminder of the need for users to regularly update and diversify their passwords to protect their accounts from being compromised.

How does credential stuffing impact your business?

Credential stuffing can cause significant damage to both businesses and their users, with consequences that affect financial stability, customer trust, and operational efficiency.

1. Financial losses for your business

Credential stuffing often results in fraudulent transactions, which can lead to direct financial losses. Attackers who gain access to user accounts may initiate unauthorized purchases, manipulate loyalty points, or exploit subscription services. These activities can result in chargebacks, refunds, and additional transaction fees.

For industries like e-commerce and financial services, the cost of reversing fraudulent activities can quickly add up, impacting overall profitability. Beyond immediate financial loss, businesses may also face increased insurance premiums and the need to invest in stronger fraud prevention systems.

2. Loss of customer trust and reputation

When customer accounts are compromised, it significantly impacts user trust. Your customers expect their personal data to be secure, and a breach can cause them to lose confidence in your platform. This can result in customer churn, with users abandoning your service in favor of competitors. Negative reviews and social media backlash can further tarnish your reputation, making it harder to attract new users or retain existing ones. 

For businesses in highly competitive industries like social media, finance, and e-commerce, the reputational damage from a credential stuffing attack can have long-term effects on brand loyalty.

3. Operational disruption and increased costs

Credential stuffing attacks often lead to a surge in customer support inquiries as users report unauthorized activities on their accounts. Handling account takeovers, processing password resets, and resolving user complaints place a heavy burden on customer service teams. This increase in support requests can strain your resources, diverting attention from core business functions. 

Additionally, businesses must invest in cybersecurity upgrades to prevent future attacks, which can increase operational costs. The time and effort required to recover from a large-scale attack can disrupt normal operations and delay key projects or initiatives.

How to detect credential stuffing attacks?

Detecting credential stuffing attacks early is crucial to minimizing their impact. By keeping a close eye on specific indicators, businesses can act swiftly to mitigate the damage. Here are three key signs to watch for:

1. Increase in failed login attempts

One of the most obvious signs of a credential stuffing attack is a sudden spike in failed login attempts. Since attackers use automated tools to test thousands—or even millions—of stolen credentials, your system will register an abnormal increase in login failures. 

This pattern often involves multiple failed attempts from the same IP address or across numerous user accounts. Monitoring for such surges is essential to identifying an attack in progress.

2. Unusual activity on user accounts

Users may report strange or unauthorized activity on their accounts, such as transactions they didn’t make, changes in their profile details, or access from unfamiliar devices. Attackers who successfully compromise accounts through credential stuffing often use them to carry out fraudulent actions, such as making purchases or manipulating account settings. 

Implementing tools to detect anomalies in user behavior can help flag suspicious activity early.

3. Unexpected changes to account information

Once attackers gain access to an account, they may attempt to lock out the legitimate user by changing key details like email addresses or phone numbers. These unexpected changes can be a red flag, especially if they occur after multiple failed login attempts.

Monitoring for sudden modifications to account information, particularly following suspicious login activity, can help prevent further damage.

How to prevent credential stuffing attacks to protect your users?

Preventing credential stuffing requires a multi-layered approach. Here are some key strategies:

1. Enforce strong password policies

Encourage users to create strong, unique passwords that are difficult to guess. Passwords should be a combination of letters, numbers, and symbols. Remind users to avoid reusing passwords across different platforms.

2. Educate users about security awareness

Just as the banking industry frequently reminds customers never to share their passwords, businesses should educate their users on the importance of password security. Regular reminders about not reusing passwords and following best practices can go a long way in preventing credential stuffing attacks.

3. Implement account lockout mechanisms

Account lockout mechanisms can prevent automated bots from making continuous login attempts. After a certain number of failed login attempts, temporarily locking the account helps block further attempts until the user verifies their identity.

4. Use CAPTCHA – with limitations

CAPTCHA can help block bots from making automated login attempts, but it’s not a perfect solution. CAPTCHAs can negatively affect user experience and conversion rates, and sophisticated bots can sometimes bypass them using advanced techniques. We’ve explored these limitations further here.

5. Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) adds an extra layer of security by requiring users to verify their identity through a second factor, such as a one-time password (OTP) sent via SMS. This makes it significantly harder for attackers to gain access to accounts, even if they have the correct credentials.

Credential stuffing is a serious and growing threat, but by implementing strong password policies, educating users, and using multi-factor authentication, businesses can significantly reduce the risk. Preventing these attacks protects both your users and your business from financial losses and reputational damage.