Credential Stuffing Explained

What is credential stuffing?

Credential stuffing is a cybercrime technique where an attacker uses automated scripts to try each credential against a target web site. The reason this works is the majority of users reuse the same credentials on multiple accounts. This unfortunate reality means one data breach can threaten many organizations.

How is an attack executed?

The cybercriminal obtains breached credentials for free or cheaply from publicly available Internet sites and the Dark Web. They then use tools like Sentry MBA to test the credential combinations in a highly automated bulk effort. Successful logins allow them to take advantage of services, stored credit card numbers and other personal information in account takeover attacks.

What is the best defense?

A primary defense against credential stuffing is to ensure the use of unique passwords for each site, making sure they were not previously compromised. Enzoic allows validation at initial account setup and on a real-time, ongoing basis to ensure user login credentials are not already compromised. Learn More