Login
Get started Get started
Get started Login
Products
Solutions
KNOWLEDGE
HELP CENTER
COMPANY

Open web

DARK WEB

DATASETS

TECHNOLOGIES

Learn

Your hub for web data

BLOG

Featured Article

Access Exclusive Content: Introducing CFC Content for Webz.io News API

Webz.io is now offering access to exclusive CFC (Centre Français d’exploitation du droit de Copie) content.

Glossary

Credential Stuffing

On this page
Credential Stuffing
« Back to Glossary Index

What are credential stuffing attacks?

Credential stuffing is a type of cyberattack where attackers use lists of previously compromised, or accidentally leaked, emails, usernames and passwords to attempt to gain unauthorized access to online accounts. Often, these credentials are stolen from other websites or services that have been breached.

Attackers leverage automated tools and scripts to rapidly test these credentials against login forms on a massive scale, exploiting the common practice of users reusing the same credentials across multiple online platforms.

To better understand the unique nature of credential stuffing, let’s examine how it differs from other common cyberattack methods.

  • Brute-force attacks involve randomly guessing passwords or using common password combinations.  
  • Password spraying uses a limited set of common passwords to try to break into multiple accounts.  
  • Credential stuffing relies on pre-obtained stolen credentials from previous data breaches, making it faster and more efficient than brute-force or password spraying.

When an employee uses the same email and password combination for several online accounts he is endangering his data. If one of these accounts is compromised in a data breach, the credentials could end up for sale on the dark web. Attackers know that users frequently reuse passwords. 

A successful credential stuffing attack can have severe consequences for both individuals and organizations.

What are the dangers of a successful credential stuffing attack for businesses? 

  • Malicious actors gaining access to sensitive environments containing PII and other confidential information
  • Threat actors gaining access to the corporate network 
  • Corporate accounts being taken over by threat actors
  • Financial losses from fraudulent transactions
  • Damaged brand reputation 
  • Damaged infrastructure
  • Loss of revenue from damaged infrastructure and halted operations

How credential stuffing attacks work

Credential stuffing attacks generally follow a systematic process to gain unauthorized
 access to accounts. 

Here’s a step-by-step breakdown:

1. Access to stolen credentials

Attackers start by obtaining usernames and passwords leaked from previous data breaches. Threat actors use combo lists, or credential dumps, that contain credentials that were stolen and leaked from previous data breaches. These lists, often including stealer logs – credentials captured by malware installed on victim devices – are available for purchase on the dark web.

While data breaches remain a significant source of stolen credentials, stealer logs have emerged as a critical source of high-quality and up-to-date credentials.

2. Automating the attack

Threat actors use automated scripts and bots to expedite the attack process with minimal manual work. An army of bots, called a botnet, uses the stolen credentials to try logging into as many sites as possible. Attackers leverage other automation tools, packaged as “credential stuffing kits” to make it easier to execute their attacks. Credential stuffing kits might include configuration scripts, captcha-solving services and proxies. 

3. Testing across sites

Attackers exploit the common practice of users reusing the same passwords across multiple online accounts. Bots are programmed to systematically try each stolen username and password pair against a vast array of online services, including:

  • Financial institutions
    • Banks, credit unions, and payment processors.
  • Corporate networks
    • VPNs, remote desktop protocols, and other internal systems.
  • Cloud services
    • SaaS applications, cloud storage, and other cloud-based resources.
  • Business communication platforms
    • Email, instant messaging, and collaboration tools.
  • Enterprise resource planning (ERP) systems
    • Software used to manage core business processes.

4. Success rates 

Although only a very small percentage of credentials typically work – some experts estimate 0.1% – the sheer volume of attempts means that attackers inevitably gain access to some accounts. 

5. Challenges

They can face technological security defenses like CAPTCHAs, IP blocks, account lockout policies and strong password hygiene, which are meant to detect and block such automated attempts. Device fingerprinting and intrusion detection and prevention systems (IDPS) monitor the behaviors of devices and network traffic for suspicious activity. Device fingerprinting blocks actions that are out of the norm while IDPS sends alerts to the relevant cybersecurity personnel.  

The impact of credential stuffing attacks

Credential stuffing attacks target vulnerable and valuable industries like finance, retail, and gaming: 

  • Financial institutions are prime targets due to the high value of bank accounts and sensitive data, along with the large number of users. 
  • Online retailers are vulnerable since attackers prefer to gain access to customer accounts and purchase goods with stolen credentials. 
  • Gaming platforms face high risk from which stolen user accounts (which have monetary value through in-game purchases or rare items) are sold or traded on the dark web.
  • The healthcare industry is vulnerable because cybercriminals use credential stuffing to access sensitive health records, which are valuable both on the dark web and to medical fraudsters.

For businesses, compromised accounts serve as gateways for attackers to infiltrate deeper into networks, leading to significant data breaches, intellectual property theft, impersonating a director, and account takeover. 

Once a threat actor has entered a corporate network, he can move laterally within a system, escalating privileges and gaining access to critical assets. The disastrous results include not only direct financial losses from fraud but also long-lasting damage to brand reputation and an increase in customer service demands. To prevent further attacks, companies are forced to allocate substantial resources to bolster their cybersecurity infrastructure, which can drive up operational costs.

Case Study: The Okta attacks

The Okta credential stuffing attacks, which began in mid-April 2024, involved threat actors using stolen credentials to gain unauthorized access to accounts. Okta’s CIC feature, specifically its Cross-Origin Resource Sharing (CORS) functionality, was exploited by attackers attempting to breach accounts. 

Okta issued a warning regarding an uptick in credential stuffing attacks targeting its Customer Identity Cloud (CIC) feature.

Customers were advised to disable unused CORS endpoints and recommended several security measures, including rotating compromised user credentials, enforcing multi-factor authentication, and implementing passwordless authentication. Okta also encouraged customers to check logs for unusual activity and to review event indicators such as ‘fcoa,’ ‘scoa,’ and ‘pwd_leak.’ The company continues to monitor the situation and provide guidance to impacted clients.

Okta customers secured their accounts by disabling unused CORS endpoints and following the recommended security practices. 

How to prevent credential stuffing attacks

Dark web monitoring helps detect stolen credentials as soon as possible, enabling businesses to respond before attackers exploit them in credential stuffing attacks. 

Organizations should monitor devices on their networks for unusual traffic patterns like sudden surges in login attempts. Spikes in login activity can indicate that automated tools or bots are trying to access multiple accounts – standard patterns of credential stuffing attacks. By identifying these patterns early, security teams can respond quickly to block or limit access and prevent account breaches.

Geolocation and device fingerprinting are also valuable tools in this effort. When a login attempt originates from an unfamiliar location or device, it should be flagged as suspicious. For instance, if a user primarily logs in from the US but a new login attempt occurs from a different country, security systems can flag this as potentially fraudulent. Device fingerprinting augments these efforts by tracking attributes like browser type and operating system – which can be used to distinguish between known, trusted devices and potential threats.

Behavioral analysis and machine learning algorithms can learn a user’s typical login habits and flag unusual behaviors – such as rapid, repeated login attempts or erratic mouse movements, which are often associated with bots. This helps security teams differentiate between legitimate users and automated attackers. 

« Back to Glossary Home

Related terms

Big Web Data for Better Insights

get started >
Subscribe to our newsletter for more news and updates!

Ready to Explore Web Data at Scale?

Speak with a data expert to learn more about Webz.io’s solutions
get started
Create your API account and get instant access to millions of web sources
SEE DEMO