What is Credential Stuffing and How to Prevent Credential Stuffing Attacks

Context 

Data breaches are becoming more sophisticated every year, largely as a result of the methods criminals use to obtain the login details needed to breach an account. As awareness of malware and phishing techniques rises amongst organizations and individual users, cybercriminals are turning to new ways of gaining access to accounts. One such method is credential stuffing, which is becoming a significant problem for network security teams. This article will explore credential stuffing, why you need to worry about it, and some of the various credential stuffing protection strategies. 

What it is

What is credential stuffing?

  • Credential stuffing involves gathering lists of compromised user login details and then using them to access those same users’ other accounts across various platforms. The process is typically automated.
     

    Credential stuffing assumes that people re-use the same login details across many different accounts. Unfortunately, this assumption is often correct — a recent Google study1 found that 52% of people use the same password for multiple online accounts.
     

    Even more concerning: the same study found that 13% of respondents use the same password for all of their accounts. 

     

    Credential stuffing is a more sophisticated cousin of brute force attacks, which rely on simply guessing a user’s login details by having a bot try enormous numbers of different variations. While brute force attacks are now more preventable, credential stuffing can often succeed even with basic security measures in place.

Why it matters

Why is credential stuffing important?

  • Why should we be worried about credential stuffing attacks? Here are a few main reasons to consider:
     

    It’s on the rise.
     

    Researchers detected 193 billion credential stuffing attacks in 20201. The financial services industry alone experienced an increase of more than 45% year-over-year.
     

    Credential stuffing succeeds an estimated 0.1% of the time.

    While this may not seem concerning, it's actually significant when you consider the sheer number of attempts being made. An estimated 193 billion attempts with a 0.1% success rate, could result in approximately 193 million successful attacks.
     

    Even one successful attempt in an organization could cause severe damage and compromise sensitive data.

    For a company, it can result in the theft of highly confidential business information; for an individual, hackers can access personal information like financial data.

How it works

How do credential stuffing attacks work?

  • There are several steps attackers take in a credential stuffing attack:

     

    Collect credential data from a wide range of sources. Attackers use a range of methods here, including the results of their own previous breaches and purchasing existing lists from other criminals on the dark web.

     

    Program bots to automate multiple login attempts across different platforms and services online. While this step can leverage humans, bots allow a much greater level of scale to maximize the odds of success.

     

    Monitor the process, and when a successful login attempt is made, breach the account and steal any valuable data such as financial information. Hackers also commonly sell lists of confirmed login details to other criminals.

Cybersecurity consulting services

AT&T Cybersecurity consulting offers planning services that address the essentials of security with a multi-layered approach.    

Request info

Prevention

How to prevent credential stuffing

While credential stuffing is a legitimate cause for concern for individuals and organizations, the good news is that there are many reliable credential stuffing protection strategies.  Here are some of the most common and effective to defend against credential stuffing attacks. 

  • Multi-factor authentication

     

    Multi-factor authentication requires users to validate their login through a secondary method. It could be a previously set security question or a secondary device like a smartphone. While MFA is not 100% foolproof, typically, the potential hacker won’t have access to this information or device, so they won’t be able to authenticate the login and gain access.

  • Blacklist suspicious IP addresses

     

    You may opt to block or ban IP addresses that engage in suspicious behavior, like trying to log into multiple accounts.

  • Adopt stricter login practices

     

    Organizations often prevent their users from using commonly re-used login credentials. For example, people typically use their email as a username across multiple platforms online, so prohibiting that practice reduces the likelihood of a successful credential stuffing attack.

  • Monitor activity and look out for red flags

     

    By monitoring the traffic in your network, you can detect suspicious or abnormal activity and take steps to learn how to prevent credential stuffing. One example is logging multiple login attempts from extremely different geographical locations in a short space of time.

    Eye icon

  • Place a limit on failed login requests

     

    Limiting the number of failed login attempts for each account can be an effective way to slow down or prevent credential stuffing attacks. For example, if a user fails to log in three times consecutively, they can be blocked for another hour and then sent an email address to alert the account owner.

    (Further reading: Credential harvesting: Is it too big of an attack or can you fight back?)

    For an even stricter approach, you can freeze the account after a certain number of failed attempts and require the user to re-activate it in person.

    Exclamation triangle icon

  • Cross-reference credentials

     

    An organization can use specific software or websites to check if a user’s login details have been featured in databases of compromised credentials, such as those shared on the dark web. If there is a match, you can alert the user so they can change their details. As a part of good security hygiene, users can and should do this themselves for both work and personal login credentials. 

    (Further reading: 7 ways to defend against a credential stuffing attack).

Solutions

We can help you take control of your security with cybersecurity solutions and services

Threats like credential stuffing can keep you up at night, but with the right security measures in place, they can easily be prevented and mitigated. Learn more how to  keep your security as tight as possible., Cybersecurity consulting services to endpoint security and threat detection and response can help you detect and respond to threats before they impact your business.

Related Resources

Your feedback will help us to improve AT&T Business so you continue to have a great experience when visiting us!

This survey is conducted by an independent company ForeSee for AT&T.

Yes, I’ll give feedback!