Credential Stuffing

What is Credential stuffing:

Credential stuffing is the automatic injection of breached username/password pairs, in order to fraudulently obtain access to user accounts. This is a branch of Brute force attack: vast numbers of spilled credentials are inserted into websites automatically before they are likely matched to an existing account, which can then be exploited for their own purposes by the attacker.

For Example, an attacker may take a list of usernames and passwords obtained from a breach of a major department store, and use the same login credentials to try and log in to the site of a national bank. The attacker is hoping that some fraction of those department store customers also have an account at that bank, and that they reused the same usernames and passwords for both services.

What makes credential stuffing effective:

Advances in bot technology also make credential stuffing a viable attack. Security features built into web application login forms often include deliberate time delays and banning the IP Addresses of users who have repeated failed login attempts. Modern credential stuffing software circumvents these protections by using bots to simultaneously attempt several logins that appear to come from a variety of device types and originate from different IP addresses. The malicious bot's goal is to make the attacker’s login attempts indistinguishable from typical login traffic, and it’s very effective.

Often times the only indication the victimized company has that they are being attacked is the rise in the overall volume of login attempts. Even then, the victimized company will have difficulty stopping these attempts without impacting the ability of legitimate users to log in to the service.

The main reason that credential stuffing attacks are effective is because people reuse passwords.

Difference between credential stuffing and brute force attacks:

Brute force attacks attempt to guess passwords with no context or clues, using characters at random sometimes combined with common password suggestions. Credential stuffing uses exposed data, dramatically reducing the number of possible correct answers.

A good defense against brute force attacks is a strong password consisting of several characters and including uppercase letters, numbers, and special characters. But password strength does not protect against credential stuffing. It doesn’t matter how strong a password is – if it’s shared across different accounts then credential stuffing can compromise it.

Prevent credential stuffing

For Users:

Users should always use unique passwords for each different service (an easy way to achieve this is with a password manager). If a user always uses unique passwords, the credential stuffing will not work against their accounts. As an added measure of security, users are encouraged to always enable two-factor authentication when it’s available.

For Companies:

Stopping credential stuffing is a more complex challenge for companies who run authentication services. Credential stuffing occurs as a result of data breaches at other companies. A company victimized by a credential stuffing attack has not necessarily had its security compromised.

A company can suggest that its users provide unique passwords but cannot effectively enforce this as a rule. Some applications will run a submitted password against a database of known compromised passwords before accepting the password as a measure against credential stuffing, but this isn’t foolproof – the user could be reusing a password from a service that is yet to be breached.

The strongest protection against credential stuffing is a bot management service. Bot management uses rate-limiting combined with an IP reputation database to stop malicious bots from making login attempts without impacting legitimate logins.


1. Sony, 2011 breach: “I wish to highlight that two-thirds of users whose data were in both the Sony data set and the Gawker breach earlier this year used the same password for each system.”

· Source: Agile Bits 

· Source: Wired 


2. Yahoo, 2012 breach: “What do Sony and Yahoo! have in common? Passwords!”.

Source: Troy Hunt


3. Dropbox, 2012 breach: “The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox”.

Source: Dropbox


4. JPMC, 2014 breach: “[The breached data] contained some of the combinations of passwords and email addresses used by race participants who had registered on the Corporate Challenge website, an online platform for a series of annual charitable races that JPMorgan sponsors in major cities and that is run by an outside vendor. The races are open to bank employees and employees of other corporations”.

Source: NYTimes


5. Spotify, 2020 breach: "This won't be music to your ears – researchers spot an unsecured database replete with records used for an account hijacking spree"

 Source: WeLiveSecurity

Credential stuffing tools

This attack method is facilitated by a range of off-the-shelf tools that are easily available, making it unsophisticated and relatively straightforward. Commonly used tools include Sentry MBA, Account Hitman, Vertex, and Apex. To launch the attack, an attacker simply needs their tool of choice, a configuration file for the website to be attacked, and a list of username/password combinations to test against the site. Log in attempts are typically directed through one or more proxies to hide the source of the attack. The software is set up to automatically insert the credentials from the username/password list into the corresponding fields contained within the GET or POST requests.

Solution: Account Takeover Prevention

Reset stolen passwords before criminals can use them To defraud your users or access sensitive corporate data.

You can check if your credentials have been leaked at