Get Started
  • Home
  • /
  • Credential stuffing

Credential stuffing

A cyber attack method where stolen account credentials are used to gain unauthorized access to user accounts across various platforms.

Description

Credential stuffing is a type of cyber attack that exploits the tendency of users to reuse passwords across multiple online services. In this attack, cybercriminals obtain stolen credentials, which typically include usernames and passwords from data breaches, and then use automated tools to attempt to log into different websites and applications. Given that many users have similar or identical credentials across different platforms, this method can be highly effective. The attackers may target high-value accounts, such as those related to banking, e-commerce, or social media, where they can conduct fraudulent activities or sell access for profit. In the context of Non-Human Identities (NHIs), credential stuffing can be particularly concerning because automated bots can impersonate legitimate users, leading to data theft, account takeovers, and potentially significant financial loss. Organizations need to implement robust security measures, such as multi-factor authentication and anomaly detection, to mitigate the risks associated with credential stuffing.

Examples

  • An attacker uses a list of breached usernames and passwords to access multiple e-commerce sites, leading to unauthorized purchases.
  • A bot automatically tries stolen credentials on various social media platforms, successfully logging into several accounts to spread misinformation.

Additional Information

  • Credential stuffing attacks can be mitigated through the use of CAPTCHA systems to differentiate between human users and automated bots.
  • Implementing password policies that encourage unique passwords and using password managers can reduce the likelihood of credential stuffing success.

References