What Is Credential Stuffing?

Credential stuffing is one of the most common causes of data breaches because most people reuse their login credentials.


Jan 20,2023

DataProt is supported by its audience. When you buy through links on our site, we may earn a commission. This, however, does not influence the evaluations in our reviews. Learn More.

Every web service we use or want to use will require us to have login credentials. Each login credential should have its own strong and unique password so that nobody can guess it. On average, a person has 100 passwords, and it’s impossible to remember all of them. That is why most people reuse passwords, and cybercriminals know that. 

If cybercriminals get a hold of user credentials, they’ll try to use them in a credential stuffing attack. So, what is credential stuffing? We’ll answer that question in this article, explain how credential stuffing attacks happen, and how you can protect yourself. 

The Credential Stuffing Definition

The Open Web Application Security Projects (OWASP) says that a credential stuffing attack is when many login attempts are made to check if stolen login credentials are still valid. By stolen login credentials, the OWASP means compromised databases made publicly available by the attacker or obtained from the dark web. Such leaks usually contain numerous usernames and passwords. 

Credential stuffing is possible only because people keep re-using their passwords on multiple, if not all of their accounts. Cybercriminals use various methods to gain unauthorized access, and credential stuffing is only one of them. Luckily, these attacks are easily preventable, but we’ll get to that later. For now, let’s cover how these attacks work. 

How Credential Stuffing Attack Works

Before any attacks are launched, the cybercriminal must obtain a compromised database. As stated before, some are publicly available if you know where to look, while others are sold on the dark web. Some online services allow you to check whether your email address was a part of any known breach

When a cybercriminal obtains the database, the next step is setting up bots or using an existing botnet to launch multiple attacks. Because a botnet can overwhelm a website in what is known as a DDoS attack, it must be configured appropriately to remain undetected. 

With only a handful of bots, the impact on a website would be negligible, but that makes a botnet harder to detect, though still not impossible to stop. 

As part of a credential stuffing attack, the bots would try to use the login credentials provided from the database to access various web services. To avoid detection, they would try the same login credentials on multiple web services simultaneously and use fake IP addresses to mask the attempts.

When the attempt is successful, the cybercriminal will be informed. From then on, they can use the compromised account to gain additional information or steal funds or confidential data. They can also simply retain it for future use or offer particularly valuable details on the dark web.

Credential Stuffing vs. Brute Force Attacks

The methods used for credential stuffing may look the same as a brute force attack or a dictionary attack, but there are some key differences. 

A brute force attack tries to guess the password seemingly at random, using a trial and error method. The guesses may seem random, but most cybercriminals will create a pattern. In comparison, a dictionary attack will systematically try every word from an especially crafted dictionary (hence the name) containing all words the attacker identifies as possible passwords.

The main difference between dictionary and credential stuffing attacks is that with the latter, a cybercriminal already has credentials; they don’t have to guess the password. In a way, it’s like a reverse dictionary attack - the password is already known, and now they need to figure out where else it works.

There is one thing that all the types of attacks share, and that is that they are easily preventable with multi-factor authentication (MFA).

How To Prevent Credential Stuffing Attacks

As stated earlier in this article, preventing credential stuffing from happening isn’t that hard. Users can take certain prevention measures, while the companies that operate web services can implement specific protections to stop hackers from breaching their databases.

How Users Can Prevent Credential Stuffing

Credential stuffing became a problem because users kept reusing passwords, so using unique and strong login credentials is essential. It can be troublesome to remember all those passwords, but browsers and password managers can help.

Password Manager  

Statistics show that 53% of people rely on memory to manage all of their passwords

A survey run by Google shows that 52% of users re-use the same password for multiple accounts but not all of them, and 13% use the same password on all of their accounts. At the same time, only 35% use a different password for every occasion. It is this 35% who are considered properly protected from credential stuffing attacks. 

Remembering your complex and unique passwords can be challenging even with just a handful of them, but it’s almost impossible with over 100 different accounts. That is why we now have access to password managers capable of storing our credentials. We only need to remember one complex and unique password so we don’t lose access to our password managing account. 

Multi-Factor Authentication (MFA)

If you don’t want to use password managers, there is another, easier step that you can take - adding multi-factor authentication. MFA is an effective way of preventing credential stuffing because it requests the user to validate the login attempt from another device (in most cases, a mobile phone), account, or a hardware token.  

Since the attacker will typically only have access to your login credentials, this will stop any unauthorized attempt in its tracks. The only downside is that not every web service supports MFA due to concerns about its impact on the customer experience (it takes longer to log into your account).

How Companies Can Prevent Credential Stuffing

Even though credential stuffing attacks happen due to users reusing their passwords, the public and regulatory bodies hold companies accountable if they fail to implement adequate security measures to prevent such attacks from breaching their servers.

They also have to inform the public and authorities when such attacks happen. If they fail to do any of the above, the companies will have to pay fines if the regulating bodies determine that they didn’t do enough to protect their user data. To prevent credential stuffing attacks and any other similar attack from happening, companies have multiple options available to them.

Multi-Factor Authentication (MFA

As mentioned in the user section, the MFA is an effective way of prevention, but not all web services offer it. Therefore, a website can first implement multi-factor or two-factor authentication (2FA) and give its visitors the option of using it. 


CAPTCHA will require anyone to prove that they are human by entering a series of numbers and letters, thwarting any attempts by bots to log in. This type of protection doesn't just ​​prevent credential stuffing attacks but any kind of attack which uses bots to run automatic login scripts.


CAPTCHA example

Because of concerns about their impact on the customer experience, most websites don’t keep them turned on by default. Instead, CAPTCHA screens show up when the website experiences a heavier traffic load, after a few failed login attempts, or at random intervals. 

Unfortunately, cybercriminals can bypass them using headless browsers, but websites can block those from accessing their webpage if they choose.

Multi-Step Login Processes

Multi-step login doesn't prevent attacks but makes them more challenging to perform. It doubles the number of requests the attacker must make, giving the system more time to recognize the login attempt as an attack and act accordingly. 

Require Unpredictable Usernames

Since credential stuffing works because people reuse passwords and usernames, forcing the user to create a unique username would significantly lower the chance of a successful attack. This method would work because the current leaked databases mostly contain email addresses and passwords. 

That said, it would be ill-advised to rely on unique usernames alone. As soon as this became the norm, people would start re-using the usernames across different websites, just like they use the same email for logging into everything. In short, if all websites started requiring only unique logins and didn’t do much else for security, we would soon have the same problem again. 

Credential Hashing

Credential hashing isn’t a credential stuffing prevention method; it’s a more secure way of storing user login credentials. 

It works by hashing the user's credentials before storing them on the website's database. In the event of a successful breach, depending on the type of hash and the cybercriminal's skill, it will either successfully protect user credentials or give users time to change all of their passwords. 

Device Fingerprinting

Device Fingerprinting is a successful credential stuffing prevention method when combined with MFA or CAPTCHA. 

Collecting basic information from the user's machine (operating system, browser, language, region, screen resolution, etc.) makes it possible to create a fingerprint of the device. As long as the machine fingerprint matches, no additional check would be required, but when somebody tries to log in from a different machine, the system will trigger an additional authentication request. 

There is a way to spoof client information by the attacker to create a fake fingerprint, but in that case, we are no longer talking about a credential stuffing attack but a targeted cyber attack.  

Final Thoughts

Instead of relying on companies and web services to protect our login credentials, we should take all the necessary steps to prevent credential stuffing attacks. That includes getting a password manager and enabling MFA on all the accounts where possible. Doing it can be a hassle, but it’s a necessity. It’s better than losing access to your account, private data, or suffering a financial loss. 

What is meant by credential stuffing?

Any cyberattack where an attacker uses a compromised list of login credentials to gain access to any user's accounts on other websites can be considered a credential stuffing attempt.

Is credential stuffing illegal?

Yes, credential stuffing is illegal. It is the same as attempting to enter somebody's house with the set of keys you managed to obtain without approval from the owner.

Is credential stuffing malware?

In the simplest form, malware is software created to cause damage to a computer or a network. For example, worms, viruses, and ransomware are all types of malware. Credential stuffing doesn't use malicious software to cause damage to a PC or a computer network. 

So, what is credential stuffing? Credential stuffing uses bots to try to illegally access a web service account by using a compromised list of login credentials obtained from the dark web. In other words - it’s not malware.

How common is credential stuffing?

Credential stuffing is a common practice done by cybercriminals, but it also has a meager chance of success. Estimate says that for every thousand accounts, the attacker successfully manages to gain access to one account. 

There are no comments yet
Leave your comment

Your email address will not be published.*