Skip to content

Credential Stuffing: Why It Matters and What You Can Do to Avoid It


Every day, hackers come up with new ways to steal information and wreak havoc on individuals, organizations, and businesses. It seems like we learn about new types of cyberattacks all the time, requiring us to keep a constant and vigilant eye on all our online accounts. That’s exhausting. 

One type of cyber attack that has garnered attention in the last few years is credential stuffing. It’s yet another way cybercriminals try to gain access to information they don’t have a right to see. Credential stuffing is something both companies and individuals should be concerned about.

What is credential stuffing?

When a company has a major data breach, hackers can get a hold of login information such as email addresses, usernames, and passwords. These stolen account credentials might become available on the dark web, allowing hackers to buy and sell them from each other. 

A cybercriminal can then use this account info to create a series of automated login attempts. Tools such as Selenium, cURL, and PhantomJS easily allow attackers to automate logins.

Once hackers have access to an account, they can do further damage.

How a credential stuffing attack works

  1. An attacker sets up a bot that logs into multiple user accounts simultaneously, using fake IP addresses.
  2. The attacker then uses this bot to run login attempts on multiple websites.
  3. Then, the attacker looks for successful login attempts and extracts personally identifiable information such as credit card numbers, physical addresses, and Social Security numbers.
  4. The attacker saves account information to use later in phishing attacks.

Why is credential stuffing a threat?

Credential stuffing attacks can lead to a cybercriminal accessing your private data and using it against you. Even if they are able to access an account that doesn’t have any particularly sensitive data, such as the log-in to a Star Wars fan forum you belong to, they can still use that information against you later. 

The attacker might send you a phishing email that looks like it’s from that forum, enticing you to click on a malicious link. They also could use some of the information from your profile to target a cyber attack. We can often forget what random information we share in a public forum. 

Many cyber attacks don’t often pose immediate threats. Instead, hackers gather information about you and “build a profile” they can use to design a personalized attack against you.

Credential stuffing vs. brute force

Credential stuffing is similar to brute force attacking, but not quite the same. Brute force attacks automate password attempts using random strings and common password patterns; they don’t rely on stolen databases of existing credentials like credential stuffing does. 

If a brute force attack succeeds, it’s because the user chose a weak, guessable password (like [email protected]).

Major credential stuffing incidents

Credential stuffing attacks have made headlines in recent years, creating more awareness and forcing companies to be more cautious when it comes to user logins.

  • Netflix & Spotify: In 2019, a man was arrested in Australia for selling stolen login credentials for Netflix, Spotify, Hulu, and other streaming services accounts. He operated a website where users could pay for access to these credentials until the Australian Federal Police shut it down. The man obtained the stolen login info using credential stuffing.
  • Uber: In 2016, cyber attackers accessed a GitHub repository used by Uber developers and claimed to have stolen credential information from 12 employee user accounts using credential stuffing. By gaining access to the repository, the attackers also accessed 32 million records related to Uber users and drivers. 

The attackers requested a ransom from Uber to delete the data and Uber paid through a bug bounty program. When the incident came to light a year later, the UK Information Commissioner’s Office fined the company £308,000.

  • LastPass: In December 2021, password manager provider LastPass announced that it was the target of a credential stuffing attack, but did not see evidence confirming that any user accounts had been compromised.

How website owners can prevent credential stuffing

If you operate a website, use these tips to avoid a credential stuffing attack:

  • Require users to have multi-factor authentication (MFA) to log in: Use an authentication method that requires something users possess, rather than what they know. For example, sending an SMS with a code is more secure than asking a security question.
  • Use CAPTCHA: CAPTCHA requires users to perform an action proving they’re not a bot, which can help protect against automated credential stuffing attacks.
  • Blacklist IP addresses: If you get alerts about multiple failed login attempts from the same IP address, add that IP address to your blacklist so your website never allows access from that address. If your website runs on WordPress, you can use the plugin WordFence to block IP addresses this way.
  • Block headless browsers: A headless browser is a web browser without a graphical user interface that allows automated control of a web page. Many credential stuffing attacks are powered by headless browsers, so block access to them on your website.
  • Require usernames other than email addresses: Credential stuffing attacks are more successful when emails are used as usernames. Users hardly ever change their email addresses. When a user signs up for an account on your site, require them to create a username instead.

How individuals can protect themselves against credential stuffing

To prevent attacks such as credential stuffing and brute force attacks, a great deal of responsibility lies on website owners. As an individual, however, you should practice good cybersecurity if you want to protect yourself against these kinds of attacks. Here are two things you can do to help secure your accounts:

  • Use a new password and username for each account: Credential stuffing relies on users putting the same credentials for all of their accounts — so don’t do that. For each new account you create, choose a unique username and password. You can manage all your credentials with a password manager.
  • Activate MFA: If the website or service provider has two-factor authentication (2FA) or MFA as a security option, enable it. MFAs can be knowledge-based (like a security question), possession-based (like an SMS with a code sent to a mobile device), or biometric-based (like fingerprint readers or facial recognition scanners). Knowledge-based MFAs are the easiest to crack so go for possession-based or biometric-based when possible.

Credential stuffing: don’t make it easy for attackers

When we’re lazy and don’t take the time to use a password manager or enable MFA, we create the perfect opportunity for cyber attackers to strike. By now, you should realize that you must use caution every time you connect to the Internet. You never know what hackers will come up with next, so it pays to stay on your guard.

Related Articles

  • All
  • Easy Prey Podcast
  • General Topics
  • Home Computing
  • IP Addresses
  • Networking
  • Online Privacy
  • Online Safety
Stuart Madnick has been in cybersecurity since 1974 and knows a lot about the costs of cyberattacks.

The Cost of Cyberattacks: Minimizing Risk, Minimizing Damage

Most of us view the internet as a useful and benign tool. But in many ways, it’s…

[Read More]

How to Keep Your YouTube from getting Demonetized

You finally did it–you hit all of the markers for acceptance in the YouTube Partner program, and…

[Read More]

How to Stay Out of Facebook Jail

Many of us have been there before–behind the proverbial bars of social media punishment. We’re left shocked…

[Read More]
Lisa Plaggemier's job is to promote cyber security awareness.

Cyber Security Awareness for Everyone

You can do anything on the internet – shop, bank, meet your future spouse, become famous, and…

[Read More]

Cyberbullying Prevention: What Parents Can Do

It’s very easy for anyone to create a fake online profile and say or do mean things…

[Read More]
Lost iPhone

Lost iPhone? If It’s Missing, Look Up to the Cloud for Help.

Here's an important piece of advice: You need to learn what Find My and can do...

[Read More]