What is credential stuffing, and how to prevent it

Credential stuffing is the automated injection of usernames or emails and passwords into login forms. In a credential stuffing attack, bad actors test hundreds of thousands of combinations of usernames, emails, and passwords in quick succession on a target website. In many cases, they’re trying to confirm which combinations of valid usernames and passwords will unlock an account. If a bad actor can unlock one account with a known combination, there’s a good chance they can unlock others with the same known credentials.

Credential stuffing should concern any business that stores something of value behind a protected account. That value isn’t limited to payment information and loyalty points or rewards. In credential stuffing attacks, bad actors target anything they can resell, including personal data.

Here, we’ll define two methods for credential stuffing attacks. Then we’ll explore how bad actors launch credential stuffing attacks and the consequences of these attacks. Finally, we’ll show you how to prevent credential stuffing attacks.

Methods for credential stuffing

When bad actors acquire lists of user credentials on the dark web, they want to test combinations on different websites as soon as possible. The severity of credential stuffing attacks can vary across scope, intensity, and duration. But, overall, bad actors need valid usernames or passwords for credential stuffing on a valid or targeted website.

Known username or email, known target, unknown password

In this method, the bad actor knows that a user has an account on the target site. But the bad actor doesn’t know the password associated with the account. So they attempt a brute-force attack by trying a list of common passwords. Or they’ll attempt to crack the password by making thousands of attempts in quick succession.

An email icon and a target icon in blue, and password icon in orange.

Who is most at risk for this method of credential stuffing?

  • Users with simple or common passwords
  • Targets or sites with limited controls

Known username or email, known password, unknown target

In this method, the bad actor has a list of username and password combinations from other site breaches. They test those combinations on the target site. But they don’t know, for sure, if users have accounts on the target site. In these “spray and pray” attacks, bad actors know good combos but don’t know targets.

An email icon in blue, a target icon in orange, and a password icon in blue.

Who is most at risk for this method of credential stuffing?

  • Users who reuse passwords across the web
  • Targets or sites with basic authentication controls

How bad actors launch credential stuffing attacks

Part of what makes credential stuffing attacks attractive to bad actors is basic human limitations. The average American has 27 online accounts, according to a 2019 Harris Poll and Google study. Among survey participants, 66% said they use the same password on more than one website. Knowing that so many Americans take a lax approach to password security, it’s easy for bad actors to take advantage. So how do they do it?

When a bad actor breaches a company’s database, they acquire a list of usernames or emails and passwords for the company’s website. Following a breach, another bad actor may buy that list on the dark web for the purpose of credential stuffing. And those lists can be sold to many bad actors.

With a list of usernames and passwords in hand, the bad actor may use software that’s built for the sole purpose of testing that list on a target website. For example, a bad actor breaches a national coffee chain’s customer database. The next bad actor may purchase the credentials list to test on a national donut chain’s website, figuring people who buy a lot of coffee might also buy a lot of donuts.

After testing hundreds of thousands of credentials, the software tells the bad actor which combination of usernames and passwords worked on the target site. The typical success rate for these attacks is between 1% and 2%. So if a bad actor tests 100,000 combinations of usernames and passwords, then 1,000 of them unlocked an account.

From there, the bad actor can conduct account takeover attacks, stealing more customer information from those unlocked accounts or spending any loyalty points or rewards for themselves. In some cases, they won’t take anything from the unlocked accounts but sell their list of known credentials to the next bad actor.

A bad actor using more advanced methods for credential stuffing may launch a botnet attack. In a botnet attack, bad actors infect computers or Internet of Things (IoT) devices with malware. IoT devices aren’t just computers and tablets. They’re any device that connects to the internet to function — think doorbells, refrigerators, and even baby monitors. There are over 30 billion active IoT devices on the planet. Bad actors can configure that malware to do a number of things, including credential stuffing.

Consequences of credential stuffing and bot-related attacks

With the adoption of new digital channels and experiences, there is more value locked behind a login than ever. For the victims of credential stuffing attacks, the damage hits more than the balance sheet.

Once a bad actor unlocks user accounts, they can take over an account to mine more customer data or access proprietary company information. They can make purchases using stored value or drain loyalty accounts entirely. Using known credentials, bad actors can even create fake accounts on other websites.

The consequences are even more severe if a bad actor is launching botnet attacks. As businesses in Kount’s 2020 Bot Landscape and Impact Report found, bot-related attacks can crash websites, compromise customer data, freeze inventory, and leak proprietary company data to name a few. Some businesses even reported losing partnerships to bot-related attacks.

A radial chart that outlines the consequences of bot-related attacks, ranging from crashed websites to proprietary information leaked.

How to prevent credential stuffing attacks with Kount Control

Traditionally, high-value targets like bank accounts and payment portals have been the target of credential stuffing attacks. But any business that has transitioned to a more digital experience is a potential target. That’s where Kount Control comes in to stop malicious logins and protect against credential stuffing, bot attacks, and account takeover.

Let’s say a user attempts to log in to an account from a new or previously unknown device. Because the site doesn’t recognize the device, it asks the user if it can remember that device in the future. Kount Control’s trusted device capabilities helps businesses manage the relationship between users and their devices.

Kount’s machine learning capabilities connect a user’s trusted devices. Kount customers can set up Kount to trigger multi-factor authentication on new or unknown devices. And if an account sees a set number of failed login attempts from unknown devices, it may indicate a credential stuffing attack.

Meanwhile, bots often use high-risk IP addresses, which Kount Control’s IP risk capabilities can help detect. And if an IP address starts to exhibit anomalous behavior, Kount Control’s IP anomaly detection can identify it. Kount’s machine learning identifies anomalous attributes from across the Identity Trust Global NetworkTM. So if a business sees, for example, higher-than-average transaction or chargeback velocities from one IP address in a short time, it may indicate a bot attack.

And it’s not just one or two potentially anomalous events Kount’s network can identify. The Identity Trust Global Network links signal data from 32 billion annual interactions across 250 countries and territories, over 75 industries, and over 50 payment processors and card networks. The result is blocked payments fraud and account takeover prevention in real time.

Latest Posts

Learn how Kount protects business from credential stuffing

Get a demo
close

Schedule a Demo

Conveniently schedule a call with sales to discuss your fraud protection strategy.