The other day, I came across the term "credential stuffing" and became curious about its meaning, so I researched.
Credential stuffing is a type of cyberattack in which attackers use stolen account credentials, such as usernames, email addresses, and passwords, obtained from data breaches. The attackers then make large-scale automated login attempts on different web applications to gain unauthorised access to user accounts on other systems.

Unlike credential cracking, credential stuffing does not involve guessing or brute-forcing passwords. Instead, the attacker automates the login process for thousands to millions of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, and PhantomJS, or tools specifically designed for these attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet, and Openbullet.
Credential stuffing attacks take advantage of many users using the same username and password combination on multiple sites. This vulnerability is highlighted by alarming statistics: one survey found that 81% of users have reused a password across two or more sites, and 25% use the same passwords for most of their accounts. This common practice significantly increases the risk of successful credential-stuffing attacks.
In 2017, the Federal Trade Commission (FTC) issued an advisory recommending specific actions that companies should take to defend against credential stuffing, such as enforcing secure password practices and implementing safeguards against such attacks. Despite these measures, the threat remains substantial. According to Shuman Ghosemajumder, the former Google click fraud czar, credential stuffing attacks have a success rate of up to 2%. This means attackers can successfully take over 20,000 accounts from one million stolen credentials.
Wired Magazine has outlined the best defences against credential stuffing, including: •
· Using unique passwords: Generate unique passwords for each account, preferably with the help of a password manager.
· Enabling two-factor authentication: Add an extra layer of security to accounts to make unauthorised access more difficult.
· Detecting and stopping attacks: Companies should implement robust measures to detect and mitigate credential stuffing attempts.
Credential stuffing presents a significant threat to online security, highlighting the importance of using strong, unique passwords, implementing two-factor authentication, and taking proactive measures by companies to detect and prevent such attacks.
Comentários