Credential Stuffing

A credential stuffing attack is a cyber attack method in which stolen account credentials consisting of usernames, email addresses, and passwords are used to gain unauthorized access to user accounts. The attack uses bots for large-scale automated login requests directed against a web application and is based on the assumption that many users reuse usernames and passwords across multiple websites. Credential stuffing is one of the most common techniques used to overtake user accounts.

How credential stuffing attacks work

  1. The attacker obtains usernames and passwords via a website breach or password dump site.
  2. The attacker uses an account checker to test the stolen credentials against websites such as social media websites or online marketplaces.
  3. Of the tested stolen credentials, approximately 0.1-0.2% are successful. Successful logins allow the attacker to overtake the account matching the credentials.
  4. The account is then drained of any stored value, credit card numbers, and other personally identifiable information. In addition, the attacker can send spam or create further transactions from the hacked account.

Credential stuffing vs. brute force attack

Credential stuffing is similar to a brute force attack, which is when an attacker submits many passwords with the hope of eventually guessing correctly. It uses trial and error to guess at login information. Some categorize credential stuffing as a form of brute force attacks, and while they are similar, there are differences between the two.

Brute force attacks guess at credentials with no context and only succeed if users choose simple, guessable passwords. The success rate for these attacks are much lower. Credential stuffing uses exposed data, which dramatically reduces the number of possible correct credentials. Brute force attacks can be combated by a strong password, but password strength does not protect against credential stuffing.

Credential stuffing prevention

It’s quite simple to protect against a credential stuffing attack. Users should always use a unique password for each service that requires login credentials. This can be managed by using a password manager. If a different password is used for each account, credential stuffing will not work because the underlying assumption is that the passwords are all the same. As an added measure of security, users should enable multi-factor authentication when possible.

Webopedia Staff
Webopedia Staff
Since 1995, more than 100 tech experts and researchers have kept Webopedia’s definitions, articles, and study guides up to date. For more information on current editorial staff, please visit our About page.
Get the Free Newsletter
Subscribe to Daily Tech Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter
Subscribe to Daily Tech Insider for top news, trends & analysis
This email address is invalid.

Related Articles

Virtual Private Network (VPN)

A virtual private network (VPN) encrypts a device's Internet access through a secure server. It is most frequently used for remote employees accessing a...

Gantt Chart

A Gantt chart is a type of bar chart that illustrates a project schedule and shows the dependency between tasks and the current schedule...

Input Sanitization

Input sanitization is a cybersecurity measure of checking, cleaning, and filtering data inputs from users, APIs, and web services of any unwanted characters and...

IT Asset Management Software

IT asset management software (ITAM software) is an application for organizing, recording, and tracking all of an organization s hardware and software assets throughout...

ScalaHosting

ScalaHosting is a leading managed hosting provider that offers secure, scalable, and affordable...

HRIS

Human resources information system (HRIS) solutions help businesses manage multiple facets of their...

Best Managed Service Providers...

In today's business world, managed services are more critical than ever. They can...