Imagine a thief finding a set of dropped car keys in a restaurant, then going vehicle to vehicle in the parking lot trying to find the car that they belonged to. There’s a chance that the owner of the keys didn’t bring their car with them to the restaurant, or that they didn’t park in the parking lot. However, if they did, the thief will sooner or later be able to gain access to their car by using this door-to-door trial and error approach.
This is a simplified, real world equivalent to credential stuffing, a form of cyber attack in which a would-be hacker uses credentials they have obtained from a data breach of one service to try into different services.
For example, if they have usernames and passwords that have been leaked through a data breach of an airline database, they could then try and use them to access popular ecommerce platforms, banks, and other sought-after destinations that would be valuable for a hacker to try and enter. Those users without the proper precautions — such as a web application firewall — may be in trouble.
Also see: How to keep your company data safe from hackers
The details of credential stuffing
Just as with the car scenario, there is no guarantee that these credentials will fit. But by “stuffing” them into as many places as possible, on the off-chance that the user might have an account with that platform, the hacker potentially has the chance of scoring a jackpot: a successful match caused by a user reusing their login details on multiple websites.
These attacks rely on human error in the form of weak passwords and password reuse. They count on the fact that some users will repeat authentication details across multiple platforms. As such, they are very different from traditional brute force attacks, which try to guess passwords by using a combination of random guesses and commonly used passwords. A credential stuffing attack, meanwhile, uses data that has been exposed already.
Credential stuffing attacks have an extremely low success rate, estimated at around 0.1%. That means that it would take one thousand attempts before a hacker gained access to an account. A would-be car thief might give up trying to unlock cars long before they reach 1,000 vehicles. However, using bots, combined with the massive amount of user data sometimes leaked in large data breaches, hackers are able to play the odds — knowing that a successful hack will be worth the failed attempts.
Attacks are increasing
Credential stuffing attacks represent about 193 billion login attempts annually. According to a recent report, in 2024 login attempts using credentials increased by upwards of 310% — from “just” 47 billion the year before. This was significantly higher than the jump in overall web attacks — for example, SQL injection attacks — which increased from 6.2 billion in 2019 to 6.3 billion in 2024.
One reason for this giant ramp-up in numbers is likely the great increase in usernames and passwords leaked in large-scale data breaches. For example, in April 2024, there were reports that more than half a million stolen Zoom passwords were made available for sale on the dark web, along with other personal information.
An exponentially bigger breach involved CAM4, an adult entertainment platform, for which close to 11 billion records were exposed, including full names, payment records, and email addresses. These are only two examples of the growing number of breaches which open up ever more possibilities for credential stuffing attacks. Expect similar incidents to become even more common — and devastating — over time.
Stop credential stuffing in its tracks
Managing the credential stuffing threat is a must. From a user perspective, safeguarding against credential stuffing attacks is fairly simple. Users should utilize different usernames and passwords for every service that they use. To make life easier, password management systems such as Keychain on macOS can help store passwords so that users do not need to recall all of them. Users should also make sure that they always use strong passwords, with a combination of upper and lower-case characters, and digits, letters, and other characters such as exclamation marks. They should not use any personally identifying information in passwords where possible (such as their first name) and should change passwords on a semi-regular basis.
Organizations wanting to protect against credential stuffing should consider tools like robust anti-bot protections and MFA (multi-factor authentication) support on online accounts. A web application firewall (WAF) works by monitoring traffic to applications and stopping attacks and suspicious behavior in its tracks, thereby guaranteeing uninterrupted business operations.
Taking the proper cyber security measures is a wise move on the part of any organization wanting to ensure it is protected against attacks such as credential stuffing — and beyond. This is not an issue that’s going away any time soon. As more people rely on online infrastructure for everything from financial transactions to carrying out work, this is a challenge that needs to be addressed right now.