<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Curious about how StrongDM works? 🤔 Learn more here!

Search
Close icon
Search bar icon
Search
Close icon
Search bar icon
Blog / Authentication

Credential Stuffing: How to Detect and Prevent It

Andrew Magnusson
by
Director, Global Customer Engineering
StrongDM
5 min read
Last updated on: January 23, 2024
Get the Authentication eBook PDF PDF Get the Authentication eBook PDF
Found in: Security Authentication
StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen
Get a demo
What Is Credential Stuffing? Definition, Prevention & More

In this article, we’ll define credential stuffing and explain the risks that credential stuffing attacks pose to organizations and customers. We’ll cover recent examples of credential stuffing attacks and discuss how to detect and prevent them. By the end of the article, you should understand the full scope of credential stuffing, including how to protect your customers’ and employees’ account credentials with the right tools.

What Is Credential Stuffing?

Credential stuffing is a type of cyber attack that occurs when a person or bot steals account credentials, such as usernames and passwords, and tries to use them to access multiple systems.

Credential stuffing stems from the notion that people use the same usernames and passwords for different accounts. By testing multiple accounts with the stolen credentials, the cybercriminal using a malicious automation tool might be able to gain entry to multiple accounts—exposing both the user and organization to a wide variety of risks.

The Danger of Credential Stuffing Attacks

Cybercriminals use credential and password stuffing attacks to gain access to sensitive financial, corporate, or personal data. A successful attack can harm an organization’s users by stealing their credit card information to make unauthorized purchases, draining their bank accounts, or selling their information. This type of attack is often automated through bots, making it easy for criminals to scale up attacks to impact a large number of people with a single infiltration strategy.

Credential stuffing attacks damage the trust, credibility, and reputation of infiltrated organizations—with consequences ranging from lost customers and revenue to a deluge of complaints on social media negatively impacting brand and reputation. Meanwhile, an attack puts an extra burden on your teams. Your security team has to spend more time reviewing existing security protocols and shoring up vulnerabilities. Legal has to deal with penalties if law violations occur.

Credential stuffing costs large companies over $2 million per year just to get help with resetting passwords after an attack.

How Does a Credential Stuffing Attack Work?

The attacker first collects account details that they either purchased on the dark web or gleaned from a data breach. Once the stolen credentials are in hand, the attacker attempts to log in to multiple accounts at the same time, typically using a bot or other automated tool that can evade security systems.

If a login attempt is successful, the attacker can then grab sensitive information and use it in a number of ways, such as making purchases or committing other financial fraud. The attacker can change account security settings to lock the authorized users out. They can also sell the personal information they find or even sell access to the hacked accounts.

In the process, a skilled attacker can learn more about the system they’re compromising and find other entry points they can use for additional attacks. It’s also important to note that, because the attacker has a valid user’s account credentials, it’s often difficult for the company to notice suspicious activity right away. It could take months before credential stuffing detection turns up anything, after which extensive damage is already done.

It can take up to 10.5 months to detect credential stuffing.

Popular Credential Stuffing Attack Tools

There are several popular credential stuffing tools today that cybercriminals can easily and cheaply buy online. These tools enable credential stuffing by accessing and combing through lists of users’ prior credentials and then automating login attempts.

Some popular tools include:

  • STORM
  • Black Bullet
  • Private Keeper
  • SNIPR
  • Sentry MBA
  • WOXY

Examples of Credential Stuffing Attacks

Companies across industries are vulnerable to credential and password stuffing, especially if a large portion of business is conducted online. Online transactions create the opportunity for data breaches, which expand and compound the credential stuffing problem.

Here are a few notable credential stuffing attack examples from recent years.

State Farm faced consumer trust fallout and potential legal action

In 2019, a malicious actor used account credentials that had likely been found on the dark web to break into the company’s online accounts. While it appeared that no fraudulent activity happened as a result of the State Farm credential stuffing attack, the company wasn’t sure how many of its 83 million customers were affected.

State Farm suffered a hit to customer trust and brand reputation, and faced possible consequences from the Federal Trade Commission.

Zoom tries to recover 500,000 users’ credentials

In a 2020 Zoom credential stuffing attack, hackers gathered old Zoom account usernames and passwords from breached databases available on dark web forums. Some of the stolen credentials were the result of hacks dating back as far as 2013. The attackers then used multiple bots to attempt to gain entry to the Zoom accounts. Half a million Zoom user credentials ended up for sale again as a repackaged database on the dark web.

Zoom had to hire multiple intelligence firms to find the compromised passwords and another firm to shut down thousands of spoof websites trying to trick users into revealing their credentials.

Spotify cleans up second credential stuffing attack in months

In February 2021, attackers obtained a database with the account credentials of 100,000 Spotify users, then used a malicious logger database to try to get access to the accounts with the apparent goal of taking them over. It was the second Spotify credential stuffing attack in months, with the first one happening in November 2020.

Spotify had to prompt all 100,000 impacted users to reset their passwords, as well as urge the hosting ISP to take down the fraudulent database.

How to Detect Credential Stuffing Attacks

Detecting credential stuffing attacks can be challenging since attacks often look like normal user activity. Organizations can detect credential stuffing attacks by implementing an infrastructure access platform with access management and monitoring capabilities. With these tools, IT teams gain broad visibility into all user credentials and activities across all applications, databases, and servers in the network, making it easier to detect an attack.

Together, access management and monitoring ensure that authenticated users can access their accounts without disruption, while also surfacing any abnormal or suspicious login activity at the user or application level.

How to Prevent Credential Stuffing Attacks

Multi-factor authentication (MFA) is a valuable tool for credential stuffing attack prevention that prioritizes both ease of use and security. In addition to a traditional password, MFA requires other ways to authenticate users. Advanced security devices can enable passwordless authentication, such as a biometric reader or smart card. With MFA, attackers have a harder time accessing accounts if they can’t rely on a username and password combination alone or don’t have the necessary device.

Additionally, credential stuffing can be prevented by educating your organization’s users on password security, and prompting them to change passwords on a regular basis. In the event that a password is stolen, this practice has the added benefit of limiting the timeframe in which the stolen password can be used.

Outside of adopting a comprehensive access management platform and MFA, other ways to prevent credential stuffing attacks include using CAPTCHA and security questions, and requiring users to create their own usernames to make them less predictable.

Credential Stuffing vs. Other Cyber Attacks

Credential stuffing vs. password spraying

Credential stuffing involves usernames and passwords that are already known to be associated with a particular account. In contrast, password spraying is when an attacker uses a known username with a commonly used or generic password to try to gain access to the account.

Credential stuffing vs. brute force

A brute force attack differs from a credential stuffing attack in that attackers will run computer-generated combinations of usernames and passwords until they can successfully log in to an account. Essentially, the attacker is “guessing” and using brute force software to do so.

Credential stuffing vs. account takeover

An account takeover is often the result of the process of credential stuffing. Once an attacker successfully gains entry to an account with the user’s credentials, they can then change the account’s security settings, rendering the authorized user unable to access it.

Credential stuffing vs. directory harvest

A directory harvest attack isn’t about compromised credentials but rather about using different permutations of a company’s standard email address format to try to guess valid email addresses. This type of attack is often used to send spam advertising through email.

How StrongDM Simplifies Credential Stuffing Attack Protection

Credential stuffing protection is critical today as widespread data breaches put more and more users’ account credentials at risk. And with advanced technology that makes credential stuffing attacks easier than ever, it’s imperative to mitigate credential stuffing with efficient, simplified credential stuffing solutions.

StrongDM’s infrastructure access platform helps your organization mount a credential stuffing defense through a single-source, centralized process of user authentication and authorization. With one platform, your IT team can securely store user credentials and manage your organization’s authentication methods while monitoring your networks and infrastructure for suspicious activity.

You can ensure your valid users get access to the accounts and systems they need when they need it and prevent credential harvesting at the same time.

Stop Credential Stuffing with StrongDM

Credential stuffing attacks are multiplying as companies continue to digitize and data breaches proliferate. These attacks cost organizations billions of dollars in remediation efforts and diminish the hard-earned trust that’s central to customer relationships, brand reputation, and revenue growth.

StrongDM’s Dynamic Access Management (DAM) platform provides technical staff with secure access to the critical infrastructure they need to be productive. Prevent credential stuffing attacks with the fast, intuitive, and auditable access required for modern security and compliance.

Ready to get started? Sign up for a free 14-day trial of StrongDM today.

About the Author

, Customer Engineering Expert, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Cybersecurity Audit: The Ultimate Guide
Cybersecurity Audit: The Ultimate Guide for 2024
A cybersecurity audit is a comprehensive assessment of your organization's information systems, networks, and processes that identify vulnerabilities and weaknesses that cybercriminals could exploit. The audit also evaluates the effectiveness of your security controls, policies, and procedures and determines if they align with industry best practices and compliance standards.
How StrongDM Simplifies NIS2 Compliance for EU Organizations
How StrongDM Simplifies NIS2 Compliance for EU Organizations
The NIS2 Directive establishes comprehensive cybersecurity legislation across the European Union. Building upon its predecessor, the Network and Information Security (NIS) Directive, the goal of NIS2 is to standardize cybersecurity practices among EU Member States. Much like the General Data Protection Regulation (GDPR), NIS2 seeks to unify strategies and actions throughout the EU to fortify digital infrastructure against the escalating threat of cyberattacks.
Top 9 Zero Trust Security Solutions
Top 9 Zero Trust Security Solutions in 2024
Zero trust is a security and authentication model that eliminates the assumption of trust and shifts the focus from a traditional security parameter, like a VPN or firewall, to the individual user. Nearly all (92 percent) cybersecurity professionals agree that it’s the best network security approach that exists. In this article, we’ll evaluate the top nine zero trust solutions and help you decide which is right for your organization.
Water Utilities Cybersecurity Guide: Challenges & Solution
Water Utilities Cybersecurity Guide: Challenges & Solution
StrongDM is working with the National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE) on Cybersecurity for the Water and Wastewater Sector: A Practical Reference Design for Mitigating Cyber Risk in Water and Wastewater Systems. This effort provides a means to identify common scenarios among Water and Wastewaters Systems (WWS) sector participants, to develop reference cybersecurity architectures, and propose the utilization of existing commercially available products to mitigate and manage risk.
XZ Utils Backdoor Explained: How to Mitigate Risks
XZ Utils Backdoor Explained: How to Mitigate Risks
Last week, Red Hat issued a warning regarding a potential presence of a malicious backdoor in the widely utilized data compression software library XZ, which may affect instances of Fedora Linux 40 and the Fedora Rawhide developer distribution. CISA, or Cybersecurity & Infrastructure Security Agency, confirmed and issued an alert for the same CVE.