Credential Stuffing Explained

Credential stuffing is the automated use of collected usernames and passwords to gain fraudulent access to user accounts.

Credential stuffing is a cybercrime technique where an attacker uses automated scripts to try each credential against a target web site. It is considered a subset of brute force attacks. The reason this works is the majority of users reuse the same credentials on multiple accounts. This unfortunate reality means one data breach can threaten many organizations.


What is a credential spill?

Credential stuffing is a volume-based attack that lets an attacker have unauthorized access to an account. Once inside, they may do all sorts of things, one of which would be getting access to all users' data. If that occurs and the data includes credentials, you could say there was a credential spill.

credential stuffing explained
login (1)

How does credential stuffing work?

A threat actor compiles or obtains a list of credential pairs (e.g. an username and associated password) typically thousands of entries long at least from a third-party site. It "works" because many people will have reused the exact same credential on the target site. They choose a target, often a login form on a particular website, and run a program that attempts to log in to the website (or other target) with each credential pair.


How effective is credential stuffing?

Cybersecurity research indicates about 1% of stuffing attempts are successful. As the number of attempts is in the billions per year, even a 1% rate means that tens of millions accounts are taken over every year. Also, even a single success means that a threat actor could potentially gain access to the entire system or network through lateral or escalatory movement. This is a known path for the deployment of ransomware and other common cybercrimes.


How common is credential stuffing?

Verizon DBIR 2021 stated breach data showed that 61 percent of breaches involved credential data and indicates that businesses surveyed across every industry experienced a median of over 1 million credential stuffing attempts during the past year.


How to detect credential stuffing? 

There are multiple ways to try to detect an attack.

  • Monitor for abnormal amounts of login attempts to an account from a single endpoint.
  • Monitor access attempts to multiple accounts from a single endpoint.
  • Identifying known malicious endpoints attempting to use the credential via their IP addresses or with fingerprinting techniques.
  • Detecting the use of automation software in the login process (e.g. through packet analysis).

How to prevent credential stuffing?


A primary defense is to ensure the use of unique passwords for each site. Make sure passwords were not previously compromised and continue to monitor credentials on an ongoing basis in real-time to ensure user login credentials have been compromised.

Also, conduct company’s security awareness training for employees on password hygiene and password reuse. Password reuse is what enables attacks so this practice should be strongly discouraged, both at work and at home.

Read 8 Ways to Mitigate Attacks 


credential stuffing

Was it a breach or credential stuffing, how to tell?

Credential stuffing is a method of active attack by threat actors. A data breach is a result of exposure of confidential information; this can occur through error, lack of responsibility and security of an organization, or any other different cyberattacks.. 


Does Single sign on (SSO) stop credential stuffing?

SOO reduces the chance that a user’s credentials would be exposed in a breach incident because it reduces the number of “doors”/entry points that an organization needs to make secure. However, it becomes even more integral that the main account used for SSO has a strong, unique, and uncompromised password.


Additional articles: