What is a credential
stuffing attack—
and how can you
combat it?

Author: Paul Gillin

Billions of stolen usernames and passwords are circulating on the dark web. According to the Verizon 2020 Data Breach Investigations Report, 80% of hacking breaches in 2019 were caused by stolen or brute-forced credentials. But the stolen credentials, used in credential stuffing attacks, are often far more dangerous.

So what is credential stuffing, and how could it affect you? Most importantly, how can you stop it?

What is credential stuffing?

Credential stuffing attacks cram different combinations of the usernames and passwords found in credential dumps into login pages until an account unlocks. They are an increasingly common cyber attack—mostly because users often reuse their usernames and passwords. If a user's login information is stolen from one place, it will probably work somewhere else.

Credential stuffing attacks are thought to be more effective than brute-force attacks because they are not a total guessing game—they leverage existing username and password information. They are also harder to detect, and they are not easily thwarted by routine security protections, such as a cap on failed attempts from a single computer.

There are so many stolen credentials circulating online nowadays that their price is down nearly to zero. Attackers can acquire these lists for cheap and feed the information to bots and have them crack open accounts on target sites. Success rates are low—Shape Security estimates success rates between 0.2% to 2%—but the costs are so modest that the rewards can still provide a significant return on the investment.

Like many cyber security problems, credential stuffing is a constant cat-and-mouse game. When website operators limited the number of login attempts from one IP address, attackers responded by feeding bots spoofed addresses. Secondary authentication methods like CAPTCHA codes were effective, but only for a short time.  As seen in the 2021 Data Breach Investigations Report, 23% of the organizations monitored had security events related to credential stuffing or brute force attacks, with 95% of them getting anywhere from 637 to 3.3 billion attempts against them.

Preventing credential stuffing

The easiest way to avoid becoming victims of credential stuffing is to stop reusing passwords. Password managers are abundant and user-friendly, but despite their ubiquity, less than 25% of people use them—and many who do probably don't use the feature that autogenerates secure passwords.

Website operators can protect themselves by employing multi-factor authentication, which uses a secondary form of identity verification, such as a unique code texted to a cellphone. Multi-factor authentication can prevent 99.9% of account compromise attacks, Microsoft says, but adoption has been slow.

LastPass estimates that 57% of global businesses use multi-factor authentication, but many organizations don't require it because they do not want to inconvenience customers. Threatpost reported that more than three-quarters of Microsoft 365 administrators don't enable the built-in multi-factor authentication option—an alarming figure considering that many of those accounts are behind corporate firewalls.

Consumers can leverage tools such as have I been pwned? to learn whether their accounts have been compromised. Website operators should advise their customers against reusing passwords and persuade them to deploy multi-factor authentication and single-use login credentials.

Tighten your organization’s defenses by using Verizon's security assessment tool to get a personalized security rating.