What is Credential Stuffing?
What is credential stuffing?
Credential stuffing is a form of cyberattack that involves using stolen login credentials to access other unrelated services and applications. To carry out a credential stuffing attack, cybercriminals obtain a list of stolen credentials and input them into a bot. The bot then begins automated login attempts across various websites. Once the hacker successfully infiltrates a site using the credentials, they begin stealing personal data for fraudulent activity.
Statistically speaking, credential stuffing has an extremely low success rate of only 0.1%. But it’s one of the most common cyberattacks because hackers play the volume game—using millions or even billions of login credentials—to increase their odds of infiltrating accounts.
Credential stuffing attacks have become so prevalent that they now account for 34% of all login attempts. With an abundance of online credentials circulating the dark web at any moment, credential stuffing poses one of the greatest cybersecurity risks for both individuals and corporations.
The going rate hackers pay for stolen accounts varies based on the value and type of account. Below is a breakdown of average cost per account:
- Cloned Mastercard or Visa with pin: $25
- Cloned American Express with pin: $35
- Account balances up to $1000: $150
- Account balances up to $5000: $240
- Stolen bank credentials with minimum of $2000 in account: $120
How does credential stuffing work?
Credential stuffing is a simple, straight-forward cyberattack. Here is an overview of the process:
- Hackers obtain a list of stolen login
credentials from a former data breach
off the dark web. - Hackers input the credentials into a bot that automates login attempts across various, unrelated applications and websites.
- If a login attempt is successful, the hacker can then start using the credentials for more nefarious activities, such as account takeover, business email compromise (BEC), etc.
Sophisticated hackers also often use large-scale botnet attacks, which cause traffic surges that overwhelm the IT infrastructure of the particular service.
Credential stuffing is a rising threat due to several factors at play:
Expansion of online accounts: The growth of online services and applications has rapidly expanded the volume of online credentials hackers can exploit. Unfortunately, so has the onslaught of data breaches to obtain them. Expect this only to increase as bots become smarter.
Bot sophistication: Credential stuffing bots have grown more sophisticated over time, only adding to the security threats. Bots are now intelligent enough to attempt only one login per username and password combination—so as not to flag added security features like failed password attempts.
Ease of execution: Credential stuffing is one of the easier cyberattacks to perform. The skill set required is low, and thus attractive to many cybercriminals. The hacker needs to be able to purchase a list of breached credentials from the dark web and run the bot program to execute the attack.
Limited detection capabilities: Because the login attempts from bots are sophisticated and use legitimate credentials, it can be difficult to detect when it’s happening—therefore difficult to thwart.
Examples of data breaches used for credential stuffing
Over the past decade, there’s been a significant uptick in data breaches. In fact, the global cost of data breaches reached its highest level on record in 2022.
Expect these numbers to continue to rise as the Artificial Intelligence and bot programs used to execute these attacks increase in sophistication. Below are some of the most infamous data breaches to date:
Consequence of credential stuffing exposure
The consequences of credential stuffing are severe. Hackers gain access to a user’s personal information and can use it for a variety of purposes, including:
- Selling access to a user’s account.
- Making fraudulent online purchases.
- Carrying out subsequent phishing,
spear phishing, or ransomware
Credential stuffing protection
As data breaches and credential stuffing become more widespread, individuals and organizations must take the necessary steps to protect their data.
For individuals—it’s important to use unique usernames and strong passwords for each service used. Password managers can provide helpful assistance by generating and storing strong passwords for all your accounts.
For organizations—it’s important to have employees frequently update their passwords and to use additional security measures such as firewalls, anti-virus software and endpoint detection.
Lastly, both individuals and organizations should consider using multi-factor authentication whenever possible.
