What is Credential Stuffing Attack?


As cyber security professionals off lately one would have come across users reporting their accounts being hacked or experienced the same for self; but organisations hosting those accounts in denial of being breached. This could most probably be a credential stuffing attack. The consequences of credential stuffing attacks to organisations could be financial loss such as regulatory fines, operational cost and reputational loss such as customer loss and in turn brand image and revenue loss.


  • Credential Stuffing Attack is a type of cyber-attack where attackers use credentials i.e. usernames-passwords of user’s accounts that are leaked at other sites or sold in the dark web to gain illegal access.

  • Attackers attempt to use the stolen set of credentials against multiple websites in order to compromise and take full control of user accounts.

  • Before that, attackers purchase toolkits on the dark web such as CAPTCHA solvers, bots, computer programs, toolkits, or software to automatically test the list of breached credentials to counteract existing credentials.

  • It is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purpose.

  • It is reported on an average daily one million user names and passwords are stolen or spilled.


Examples of Credential Stuffing Attacks

  • Credential Stuffing isn’t a new technique, it is recently used more often. It first surfaced into limelight in 2011 during the Sony breach an then followed by Yahoo in 2012.

  • Attacks in last 6 months have seen a spike in credential stuffing technique wherein attackers gain unauthorised access to user accounts which in turn leads to financial frauds or identity theft.

  • In November 2018 one of the largest banks, HSBC, was hit by a major credential stuffing attack which jeopardised their customers financial security.

  • Recently in February 2019 Dunkin Donuts was targeted second time within the span of 3 months of this attack.

  • Reddit, Deliveroo, Sizmek, Basecamp are a few other organisations which have been under the credential stuffing attack this year and the trend is just increasing.


Possible Causes:

  • Firstly the hackers are using stolen credentials of users which are legitimate. It is extremely difficult for cyber security operations team to decipher such attacks at an early stage.

  • Furthermore, the hackers are getting more skilled to perform such attacks and the tools for collections of breached data have become more and more powerful.

  • Due to layered security architecture in most organisations complexity of hacking into a system has become increasingly difficult. Thereby this method allows attackers to gain access to stolen credentials and allow them lateral movement.

  • Due to above factors, all the more this technique is becoming more popular amongst the attackers since it is simple and pretty straightforward.

Way Forward to stay Protected against such attacks:

  • The possible solution to such a dangerous attack revolves majorly around PASSWORD.

  1. In order to stay protected NEVER use a same password across multiple sites or accounts.

  2. It is ALWAYS recommended to use strong (i.e alpha numeric), complex and unique passwords that are difficult to crack.

  3. It is HIGHLY recommended to keep changing your unique password for each account over regular intervals.

  4. ENABLE two factor authentication or multifactor authentication while login and logout after the session is complete. This adds an extra layer of security to your digital assets and makes it difficult for cybercriminals to breach your account.

  5. DO NOT connect to Public WIFI unless it is critical and never ever perform a financial transaction.


#credentialstuffingattack #databreach #password #CAPTCHA #authentication #WIFI #hack