Credential stuffing is a type of cyberattack in which credentials obtained from a data breach on one service are used to attempt to log in to another unrelated service.
For example, an attacker may take a list of usernames and passwords obtained from a breach of a major department store, and use the same login credentials to try and log in to the site of another store. The attacker is hoping that some of the customers of those online stores also have an account at that other store and that they reused the same usernames and passwords for both services.
As of 2019, credential stuffing has been on the rise. Thanks to massive lists of breached credentials being traded and sold on the dark web. The proliferation of these lists, combined with advancements in credential stuffing tools that use bots to get around traditional login protections, have made credential stuffing a popular attack vector.
Effectiveness of Credential Stuffing
Statistically speaking, credential stuffing attacks have a very low rate of success. Many estimates have this rate at about 0.1%, which means for every one-thousand accounts that an attacker attempts to crack, he will succeed roughly one. The sheer volume of the credential collections being traded by attackers makes credential stuffing worth it, in spite of the low success rate.
These collections contain millions and in some cases billions of login credentials. If an attacker has one million sets of credentials, this could yield around 1,000 successfully cracked accounts. If even a small percentage of the cracked accounts contain profitable data (often in the form of credit card numbers or sensitive data that can be used in phishing attacks), then the attack is worthwhile. On top of that, the attacker can repeat the process using the same sets of credentials on numerous different services.
Advances in bot technology also make credential stuffing a viable attack. Security features built into web application login forms often include deliberate time delays and banning the IP addresses of users who have repeated failed login attempts. Modern credential stuffing software circumvents these protections by using bots to simultaneously attempt several logins that appear to come from a variety of device types and originate from different IP addresses. The malicious bot's goal is to make the attacker’s login attempts indistinguishable from typical login traffic, and it’s very effective.
Often times the only indication the victimized company has that they are being attacked is the rise in the overall volume of login attempts. Even then, the victimized company will have difficulty stopping these attempts without impacting the ability of legitimate users to log in to the service.
The main reason that credential stuffing attacks are effective is that people reuse passwords. Studies suggest that a majority of users, by some estimates as high as 85%, reuse the same login credentials for multiple services. As long as this practice continues, the credential stuffing will remain profitable.