<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Search
Close icon
Search bar icon

What Is Credential Stuffing? Detect and Prevent Attacks

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

In this article, we’ll define credential stuffing and explain the risks that credential stuffing attacks pose to organizations and customers. We’ll cover recent examples of credential stuffing attacks and discuss how to detect and prevent them. By the end of the article, you should understand the full scope of credential stuffing, including how to protect your customers’ and employees’ account credentials with the right tools.

What Is Credential Stuffing?

Credential stuffing is a type of cyber attack that occurs when a person or bot steals account credentials, such as usernames and passwords, and tries to use them to access multiple systems.

Credential stuffing stems from the notion that people use the same usernames and passwords for different accounts. By testing multiple accounts with the stolen credentials, the cybercriminal using a malicious automation tool might be able to gain entry to multiple accounts—exposing both the user and organization to a wide variety of risks.

The Danger of Credential Stuffing Attacks

Cybercriminals use credential and password stuffing attacks to gain access to sensitive financial, corporate, or personal data. A successful attack can harm an organization’s users by stealing their credit card information to make unauthorized purchases, draining their bank accounts, or selling their information. This type of attack is often automated through bots, making it easy for criminals to scale up attacks to impact a large number of people with a single infiltration strategy.

Credential stuffing attacks damage the trust, credibility, and reputation of infiltrated organizations—with consequences ranging from lost customers and revenue to a deluge of complaints on social media negatively impacting brand and reputation. Meanwhile, an attack puts an extra burden on your teams. Your security team has to spend more time reviewing existing security protocols and shoring up vulnerabilities. Legal has to deal with penalties if law violations occur.

Credential stuffing costs large companies over $2 million per year just to get help with resetting passwords after an attack.

How Does a Credential Stuffing Attack Work?

The attacker first collects account details that they either purchased on the dark web or gleaned from a data breach. Once the stolen credentials are in hand, the attacker attempts to log in to multiple accounts at the same time, typically using a bot or other automated tool that can evade security systems.

If a login attempt is successful, the attacker can then grab sensitive information and use it in a number of ways, such as making purchases or committing other financial fraud. The attacker can change account security settings to lock the authorized users out. They can also sell the personal information they find or even sell access to the hacked accounts.

In the process, a skilled attacker can learn more about the system they’re compromising and find other entry points they can use for additional attacks. It’s also important to note that, because the attacker has a valid user’s account credentials, it’s often difficult for the company to notice suspicious activity right away. It could take months before credential stuffing detection turns up anything, after which extensive damage is already done.

It can take up to 10.5 months to detect credential stuffing.

Popular Credential Stuffing Attack Tools

There are several popular credential stuffing tools today that cybercriminals can easily and cheaply buy online. These tools enable credential stuffing by accessing and combing through lists of users’ prior credentials and then automating login attempts.

Some popular tools include:

  • STORM
  • Black Bullet
  • Private Keeper
  • SNIPR
  • Sentry MBA
  • WOXY

Examples of Credential Stuffing Attacks

Companies across industries are vulnerable to credential and password stuffing, especially if a large portion of business is conducted online. Online transactions create the opportunity for data breaches, which expand and compound the credential stuffing problem.

Here are a few notable credential stuffing attack examples from recent years.

State Farm faced consumer trust fallout and potential legal action

In 2019, a malicious actor used account credentials that had likely been found on the dark web to break into the company’s online accounts. While it appeared that no fraudulent activity happened as a result of the State Farm credential stuffing attack, the company wasn’t sure how many of its 83 million customers were affected.

State Farm suffered a hit to customer trust and brand reputation, and faced possible consequences from the Federal Trade Commission.

Zoom tries to recover 500,000 users’ credentials

In a 2020 Zoom credential stuffing attack, hackers gathered old Zoom account usernames and passwords from breached databases available on dark web forums. Some of the stolen credentials were the result of hacks dating back as far as 2013. The attackers then used multiple bots to attempt to gain entry to the Zoom accounts. Half a million Zoom user credentials ended up for sale again as a repackaged database on the dark web.

Zoom had to hire multiple intelligence firms to find the compromised passwords and another firm to shut down thousands of spoof websites trying to trick users into revealing their credentials.

Spotify cleans up second credential stuffing attack in months

In February 2021, attackers obtained a database with the account credentials of 100,000 Spotify users, then used a malicious logger database to try to get access to the accounts with the apparent goal of taking them over. It was the second Spotify credential stuffing attack in months, with the first one happening in November 2020.

Spotify had to prompt all 100,000 impacted users to reset their passwords, as well as urge the hosting ISP to take down the fraudulent database.

How to Detect Credential Stuffing Attacks

Detecting credential stuffing attacks can be challenging since attacks often look like normal user activity. Organizations can detect credential stuffing attacks by implementing an infrastructure access platform with access management and monitoring capabilities. With these tools, IT teams gain broad visibility into all user credentials and activities across all applications, databases, and servers in the network, making it easier to detect an attack.

Together, access management and monitoring ensure that authenticated users can access their accounts without disruption, while also surfacing any abnormal or suspicious login activity at the user or application level.

How to Prevent Credential Stuffing Attacks

Multi-factor authentication (MFA) is a valuable tool for credential stuffing attack prevention that prioritizes both ease of use and security. In addition to a traditional password, MFA requires other ways to authenticate users. Advanced security devices can enable passwordless authentication, such as a biometric reader or smart card. With MFA, attackers have a harder time accessing accounts if they can’t rely on a username and password combination alone or don’t have the necessary device.

Additionally, credential stuffing can be prevented by educating your organization’s users on password security, and prompting them to change passwords on a regular basis. In the event that a password is stolen, this practice has the added benefit of limiting the timeframe in which the stolen password can be used.

Outside of adopting a comprehensive access management platform and MFA, other ways to prevent credential stuffing attacks include using CAPTCHA and security questions, and requiring users to create their own usernames to make them less predictable.

Credential Stuffing vs. Other Cyber Attacks

Credential stuffing vs. password spraying

Credential stuffing involves usernames and passwords that are already known to be associated with a particular account. In contrast, password spraying is when an attacker uses a known username with a commonly used or generic password to try to gain access to the account.

Credential stuffing vs. brute force

A brute force attack differs from a credential stuffing attack in that attackers will run computer-generated combinations of usernames and passwords until they can successfully log in to an account. Essentially, the attacker is “guessing” and using brute force software to do so.

Credential stuffing vs. account takeover

An account takeover is often the result of the process of credential stuffing. Once an attacker successfully gains entry to an account with the user’s credentials, they can then change the account’s security settings, rendering the authorized user unable to access it.

Credential stuffing vs. directory harvest

A directory harvest attack isn’t about compromised credentials but rather about using different permutations of a company’s standard email address format to try to guess valid email addresses using different email address tools. This type of attack is often used to send spam advertising through email.

How StrongDM Simplifies Credential Stuffing Attack Protection

Credential stuffing protection is critical today as widespread data breaches put more and more users’ account credentials at risk. And with advanced technology that makes credential stuffing attacks easier than ever, it’s imperative to mitigate credential stuffing with efficient, simplified credential stuffing solutions.

StrongDM’s infrastructure access platform helps your organization mount a credential stuffing defense through a single-source, centralized process of user authentication and authorization. With one platform, your IT team can securely store user credentials and manage your organization’s authentication methods while monitoring your networks and infrastructure for suspicious activity.

You can ensure your valid users get access to the accounts and systems they need when they need it and prevent credential harvesting at the same time.

Stop Credential Stuffing with StrongDM

Credential stuffing attacks are multiplying as companies continue to digitize and data breaches proliferate. These attacks cost organizations billions of dollars in remediation efforts and diminish the hard-earned trust that’s central to customer relationships, brand reputation, and revenue growth.

StrongDM’s Zero Trust PAM platform provides technical staff with secure access to the critical infrastructure they need to be productive. Prevent credential stuffing attacks with the fast, intuitive, and auditable access required for modern security and compliance.

Ready to get started? Sign up for a free 14-day trial of StrongDM today.


About the Author

, Technical Evangelist, has had a long 30+ year career in systems engineering and architecture, but has spent the last 13+ years working on the Cloud, and specifically, Cloud Security. He's currently the Technical Evangelist at StrongDM, taking the message of Zero Trust Privileged Access Management (PAM) to the world. As a practitioner, he architected and created cloud automation, DevOps, and security and compliance solutions at Netflix and Adobe. He worked closely with customers at Evident.io, where he was telling the world about how cloud security should be done at conferences, meetups and customer sessions. Before coming to StrongDM, he lead an innovations and solutions team at Palo Alto Networks, working across many of the company's security products.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

How to List All Databases in PostgreSQL (6 Methods)
How to List All Databases in PostgreSQL (6 Methods)
Having a complete view of all your databases in PostgreSQL is essential for effective database management. This guide explores six proven methods you can use to quickly list all of your databases.
How to Connect to a PostgreSQL Database (Remotely)
How to Connect to a Remote PostgreSQL Database
Connecting to a remote PostgreSQL database can prove daunting for some teams. Your organization risks losing valuable time, which then leads to lost productivity. Thankfully, there are four different ways to connect to a remote PostgreSQL database and improve your team's efficiency.
What Is Network Level Authentication (NLA)? (How It Works)
What Is Network Level Authentication (NLA)? (How It Works)
Network Level Authentication (NLA) is a security feature of Microsoft’s Remote Desktop Protocol (RDP) that requires users to authenticate before establishing a remote session. By enforcing this pre-authentication step, NLA reduces the risk of unauthorized access, conserves server resources, and protects against attacks like credential interception and denial of service. While effective in securing RDP sessions, NLA is limited to a single protocol, lacks flexibility, and can add complexity in diverse, modern IT environments that rely on multiple systems and protocols.
How to Create a Database in PostgreSQL
How to Create a Database in PostgreSQL
Learn the step-by-step approach to creating a database in PostgreSQL. Our in-depth guide explores two main methods—using psql and pgAdmin.
How to Automate Continuous Compliance in AWS with StrongDM
How to Automate Continuous Compliance in AWS with StrongDM
Enterprises seek ways to effectively address the needs of dynamic, always-evolving cloud infrastructures, and StrongDM has developed a platform that is designed with built-in capabilities to support continuous compliance in AWS environments.