Credential Stuffing

TECHNICAL DEFINITION

Credential stuffing is a type of cyberattack that leverages automated bots to attempt logins across multiple online services using large lists of previously compromised username-password pairs, exploiting password reuse by users to gain unauthorized access to accounts.

BACKGROUND

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.

SYNONYMS & ALIASES

• Password reuse attack
• Account takeover (ATO) attempt
• Login stuffing
• Brute-force (specific type)

USAGE NOTE

This attack is a common method for account takeover (ATO) and relies heavily on users' poor security habits regarding password reuse.

DEVELOPERS

Organizations developing technology related to Credential Stuffing.

• Akamai Technologies

  Akamai offers advanced bot management and web application and API protection (WAAP) solutions that detect and mitigate automated attacks like credential stuffing, preventing account takeover.

• Cloudflare

  Cloudflare provides bot management and web application firewall (WAF) services that identify and block malicious bots attempting credential stuffing attacks before they can access user accounts.

• F5 (Shape Security)

  F5, through its acquisition of Shape Security, offers leading anti-bot and fraud prevention solutions specifically designed to detect and stop credential stuffing and account takeover attacks at scale.

• Imperva

  Imperva's application security platform includes advanced bot protection and a web application firewall (WAF) to defend against automated threats like credential stuffing and account takeover.

• DataDome

  DataDome specializes in AI-powered bot and online fraud protection, effectively blocking credential stuffing attacks and preventing account takeover in real time across websites, mobile apps, and APIs.

• Sift

  Sift's Digital Trust & Safety platform leverages machine learning to detect and prevent various forms of online fraud, including account takeover resulting from credential stuffing attacks.

• HUMAN Security

  HUMAN Security (formerly White Ops and having acquired PerimeterX) provides bot mitigation and fraud prevention solutions that protect enterprises from automated attacks, including sophisticated credential stuffing campaigns.

• Microsoft

  Microsoft's Azure Active Directory Identity Protection offers capabilities such as risk-based conditional access, multi-factor authentication, and anomaly detection to identify and prevent account compromise from credential stuffing.