What Credential Stuffing Is And How It Can Get You

Lukas Grigas
Cybersecurity Content Writer
credential stuffing

You came up with a strong password. It has everything: numbers, uppercase letters in the middle, a couple of well-placed ^s and $s, and it ends with an upside-down question mark. Perfect. Now you can use this password on every account.

And that’s how they get you. Today, we’re exploring credential stuffing.

What is credential stuffing, and how does it work?

Credential stuffing is a type of cyberattack during which cybercrooks use stolen credentials to gain unauthorized access to a user account or organizational systems. Usually, the usernames and passwords used in such attacks are acquired illegally via data breaches.

As the name suggests, the attack is designed to stuff as many possible credentials across multiple websites or company systems in hopes of accessing them. Credential stuffing relies on automation and the assumption that many people reuse login details across multiple online services and platforms.

Why is credential stuffing on the rise?

Credential stuffing attacks are pretty common, mostly because of the huge supply and demand for breached login details.

Anyone can buy collections of leaked passwords on the web. Better (or worse) yet, they can download them for free through P2P networks.

These gigantic collections contain multiple data breaches. For example, the infamous Collection #1-5 offers 2.2 billion unique username and password combinations. Anyone with an internet connection can find them online in plaintext.

Once the attacker-to-be gets the trove of credentials, they can start “stuffing” them. Usually, to break into an account, an attacker needs to send out numerous login requests. That’s where credential stuffing tools (also found online) come in handy.

Since inserting millions of passwords into millions of boxes by hand isn’t an option, attackers automate these attacks. They also bounce the requests through proxy servers to hide the fact they’re coming from the same IP. Credential stuffing tools mask the attacker’s browser and find a way around CAPTCHAs.

According to Verizon’s 2022 Data Breach Investigations Report, credential stuffing attacks are a common cause of data breaches because many people tend to reuse passwords across multiple accounts.

Credential stuffing vs. brute-force attack

Credential stuffing and brute-force attacks are similar in the way they work. Bad actors use both attacks for the same purpose — to gain unauthorized access to some online account or a corporate system. However, they differ in their approach. During a brute-force attack, hackers use automated processes to guess the potential victim’s username and password blindly. In contrast, in a credential stuffing account, cybercrooks use breached credentials, which increases their chances of success.

How to prevent credential stuffing

Preventing credential stuffing, like any other type of cyberattack, is a complex task comprising various cybersecurity practices. However, once you know what steps you should take, you can drastically reduce the chance of being a victim of a credential stuffing attack.

Do not reuse passwords

Your password can be virtually unguessable, but it won’t matter when a website you visit gets hacked and that ultra-secure password ends up on the web. And once your login credentials are out, hackers can use them to get into your other accounts. This is the essence of credential stuffing. If you reuse your passwords, hackers can reuse them too. Coming up with a different password for every account is easier with a password generator — a tool that automatically creates strong and unique passwords.

Use multi-factor authentication

Multi-factor authentication is often referred to as an additional layer of security because it acts as an additional step of identity verification when you try to access any of your online accounts. In most instances, the extra step of identity verification is a 4-8 digit code you need to enter after using your login credentials. Usually, the code is sent to you via email, SMS, or an authenticator app. Using MFA as an additional layer of security means that even if your passwords and usernames are compromised in a breach, hackers can’t them to access your account because to do so requires having access to your MFA code.

Use a password manager

These days, having a password manager should be a no-brainer. A password manager is a tool that helps you to securely store and access your passwords, credit cards, and other personal information whenever you need it. With a tool such as NordPass, having strong and unique passwords for all your online accounts is easier than ever. Furthermore, a password manager eliminates the need to manually type passwords and usernames because the autofill functionality does that for you and saves the frustration that comes with having to type out a string of 12 random characters.

Regularly check if your credentials have been leaked

Knowing if your usernames and passwords have been compromised in a data breach is critical in preventing a credential stuffing attack and maintaining a secure profile online. A variety of online tools let you know if your sensitive information has been affected by a data leak. One of these tools is our Data Breach Scanner, which checks the web for leaked databases and then compares them to the provided email address and credit cards.

Bottom line

You can’t be absolutely safe online, because you can’t know or control everything. Are the apps, websites, or online services you use secure? Sometimes. And sometimes not. Sometimes they seem secure until they prove otherwise. That’s why you have to use every security measure available to you.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.