What is Credential Stuffing?

IONOS editorial team01/11/20235 mins

We all use dozens or even hundreds of different online services: email providers, software applications, streaming services, newspaper subscriptions and much more. Each of these services asks us to create a login – usually at least a username and password. Often, however, these login details are stolen in one way or another and are sold as part of large password collections by cyber criminals. Hackers then use this login data by employing methods such as credential stuffing, for example, to make a profit from the stolen data.

Why is credential stuffing so important?

Hackers regularly manage to access the databases of large online services and steal the login details of many, many users. This stolen data is then put up for sale on the dark net in the form of lists. The largest and best-known list is called “Collection #1-5” and contains over 2.2 billion combinations of usernames and passwords – around 900GB of data!

So, what can you do with a list like this? At first glance, not a lot. If a service provider becomes aware of the data theft, they warn their customers and ask them to change their password.

Tip

You can check to see if your email address has been published in the dark web on the Hasso Plattner Institute’s website.

Changing your password does stop hackers from accessing the account concerned. The problem is that many users are creatures of habit. They often use the same email address and password combination for several online services. This is where credential stuffing comes into play as the hackers can then use the stolen login data to their advantage.

Tip

You can find out more about password security in our feature article on the subject. You can also read about how to maintain an overview of all your logins with password managers in our Digital Guide.

Credential stuffing in a nutshell

With credential stuffing, attackers try to use stolen login details (or “credentials”) to access a system. When doing so, they try many different credentials that they have stolen from other online services. The aim of the attack is to obtain further valuable information from the hacked account, such as credit card numbers, addresses, saved documents, contact data – in short: any other data that they may be able to use to make a profit.

According to statistics, around every thousandth login attempt is successful. In other words, an attacker has to try 1000 different sets of login details to break into a system.

How credential stuffing works

A hacker needs four things for a successful “credential stuffing” attack:

A list of login details
A list of popular online services that they want to attack (e.g., Dropbox, Adobe Cloud, Canva, etc.)
A technique that allows them to use a high number of different IP addresses (IP rotation)
A “bot” (computer program) that makes login attempts on the various online services completely automatically

With these bots, hackers can try one login after another, systematically changing the originating IP address each time so that the target server doesn’t block the login attempts, as a well-configured server will usually block an IP address if the number of failed login attempts exceeds a certain threshold.

If the login is successful, the bot can then access the valuable information that we mentioned above. The successful login details are also saved for later use – for example for phishing attacks and other similar attacks.

Credential stuffing is often significantly more efficient that the following hacking methods:

Brute-Force attacks require a much higher number of tries as only random password combinations are tried and not, like with credential stuffing, existing passwords.
Social engineering usually limits the attack to just one platform (e.g., Amazon), while credential stuffing can attack hundreds of different online services at the same time.

How you can protect yourself against credential stuffing

The most simple and secure countermeasure is to use different passwords for different logins. While it’s not exactly convenient, it’s still less of a hassle to come up with a way of remembering all your different passwords than having to change the password for all your logins individually in the event of a security leak.

Tip

Find out how to protect yourself with a secure password.

Effective methods for using different passwords include:

A password formula, that is the same for all passwords. One good method is to mix the platform name with a fixed number combination. So, your password for Dropbox would be dro33pbox22 and for Amazon it would be ama33zon22, for example.
Using a password manager; here you can choose between using an app and a browser add-on.
Using several email addresses and usernames for the different platforms and changing the password each time.

Countermeasures that servers can take

Operators of websites, online stores, and online services have a range of options to choose from when it comes to protecting their users from credential stuffing:

TOTP-based authentication: uses of a one-off temporary password (time-based one-time password) for the login
Multi-factor authentication: works by sending an SMS code to the user’s smartphone, for example
Block headless browsers: like those used by bots
Block traffic from data centers: like Amazon Web Services or IBM Watson, for example, as bots are often operated from data centers like this
Use specialized security software: for example, WordPress offers the plugin Wordfence Login Security
Device fingerprinting: this method identifies different properties of users’ computers, such as the MAC address, the hard drive size, etc. and transforms it into a hash value so that any login attempts from foreign computers can be spotted immediately.

Be secure. Buy an SSL certificate.

Secures data transfers
Avoids browser warnings
Improves your Google ranking

Was this article helpful?

What is SIEM (Security Information & Event Management)?

With timely warnings, cyber threats can be reliably identified and averted. The question is where to get the data from and how to draw the right conclusions. This is where SIEM, short for Security Information & Event Management, comes into play. Any suspicious incidents and…

Encyclopedia
Security

What is IAM? (Identity and Access Management)

In any system based on user accounts, Identity and Access Management has a role to play. So does every application use IAM? How important are Identity and Access Management systems when it comes to corporate compliance? And what features do these systems offer?

Encyclopedia
Security

Gustavo FrazaoShutterstock

How Scamming works and how to protect against it

The internet is not new territory for scammers: Scamming encompasses all tricks that criminals use online in chats, via mail, or over social networks, to get unsuspecting people to give them their money. The criminals play their victims through deceitful methods on almost every…

Data Protection
Security

What is FIDO2?

Passwords are not an ideal way to surf the World Wide Web safely. They are either so complex that they are hard to remember, or so simple that they can be guessed in next to no time. FIDO2 takes a different approach and relies on modern technology. The open standard has the…

Security

What is Log4Shell? Causes and effects of the Java vulnerability

A shock was felt around the world at the end of 2021 when the Log4Shell vulnerability became known to the public. Attackers were able to completely take over remote systems without much effort. All major companies and many of the most widely used services were affected by it. In…

Security
JavaScript