In a credential stuffing attack, collections of stolen login credentials from one service are used to attempt to break into accounts on various other services.
After reading this article you will be able to:
Related Content
Brute force attack
Buffer overflow attack
On-path attack
Phishing attack
What is a social engineering attack?
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
Credential stuffing is a cyber attack in which credentials obtained from a data breach on one service are used to attempt to log in to another unrelated service.
For example, an attacker may take a list of usernames and passwords obtained from a breach of a major department store, and use the same login credentials to try and log in to the site of a national bank. The attacker is hoping that some fraction of those department store customers also have an account at that bank, and that they reused the same usernames and passwords for both services.
Credential stuffing is widespread thanks to massive lists of breached credentials being traded and sold on the black market. The proliferation of these lists, combined with advancements in credential stuffing tools that use bots to get around traditional login protections, have made credential stuffing a popular attack vector.
Statistically speaking, credential stuffing attacks have a very low rate of success. Many estimates have this rate at about 0.1%, meaning that for every thousand accounts an attacker attempts to crack, they will succeed roughly once. The sheer volume of the credential collections being traded by attackers makes credential stuffing worth it, in spite of the low success rate.
These collections contain millions and in some cases billions of login credentials. If an attacker has one million sets of credentials, this could yield around 1,000 successfully cracked accounts. If even a small percentage of the cracked accounts yields profitable data (often in the form of credit card numbers or sensitive data that can be used in phishing attacks), then the attack is worthwhile. On top of that, the attacker can repeat the process using the same sets of credentials on numerous different services.
Advances in bot technology also make credential stuffing a viable attack. Security features built into web application login forms often include deliberate time delays and banning the IP addresses of users who have repeated failed login attempts. Modern credential stuffing software circumvents these protections by using bots to simultaneously attempt several logins that appear to come from a variety of device types and originate from different IP addresses. The malicious bot's goal is to make the attacker’s login attempts indistinguishable from typical login traffic, and it’s very effective.
Often times the only indication the victimized company has that they are being attacked is the rise in the overall volume of login attempts. Even then, the victimized company will have difficulty stopping these attempts without impacting the ability of legitimate users to log in to the service.
The main reason that credential stuffing attacks are effective is that people reuse passwords. Studies suggest that a majority of users, by some estimates as high as 85%, reuse the same login credentials for multiple services. As long as this practice continues, credential stuffing will remain fruitful.
OWASP categorizes credential stuffing as a subset of brute force attacks. But, strictly speaking, credential stuffing is very different from traditional brute force attacks. Brute force attacks attempt to guess passwords with no context or clues, using characters at random sometimes combined with common password suggestions. Credential stuffing uses exposed data, dramatically reducing the number of possible correct answers.
A good defense against brute force attacks is a strong password consisting of several characters and including uppercase letters, numbers, and special characters. But password strength does not protect against credential stuffing. It doesn’t matter how strong a password is – if it’s shared across different accounts then credential stuffing can compromise it.
From a user’s point of view, defending against credential stuffing is pretty straightforward. Users should always use unique passwords for each different service (an easy way to achieve this is with a password manager). If a user always uses unique passwords, credential stuffing will not work against their accounts. As an added measure of security, users are encouraged to always enable two-factor authentication when it’s available.
Stopping credential stuffing is a more complex challenge for companies who run authentication services. Credential stuffing occurs as a result of data breaches at other companies. A company victimized by a credential stuffing attack has not necessarily had their security compromised.
A company can suggest that its users provide unique passwords but cannot effectively enforce this as a rule. Some applications will run a submitted password against a database of known compromised passwords before accepting the password as a measure against credential stuffing, but this isn’t foolproof – the user could be reusing a password from a service that is yet to be breached.
Providing added login security features can help mitigate credential stuffing. Enabling features like two-factor authentication and requiring users to fill out captchas when logging in both also help stop malicious bots. While these are both features that inconvenience users, many would agree that minimizing the security threat is worth the inconvenience.
The strongest protection against credential stuffing is a bot management service. Bot management uses rate limiting combined with an IP reputation database to stop malicious bots from making login attempts without impacting legitimate logins. Cloudflare Bot Management, which gathers data from 25 million average requests per second routed through the Cloudflare network, can identify and stop credential-stuffing bots with very high accuracy.For organizations that want the same bot-blocking abilities but do not need an enterprise solution, Super Bot Fight Mode is now available on Cloudflare Pro and Business plans. With Super Bot Fight Mode, smaller organizations can take advantage of increased visibility and control over their bot traffic.