Understanding credential stuffing and how to prevent it

Since 2020, the number of reported cyberattacks has almost doubled, resulting in billions of compromised records and total direct losses amounting to almost $28 billion. The advent of widely available generative AI is unleashing even more sophisticated threats that many organizations are unprepared for.

According to the NSA’s director of cybersecurity, AI makes cyber-criminals “more effective and more dangerous.” It’s hard to deny that the digital world can be a risky place to do business. To protect your company and your customers, you need to understand the scale of the threat.

Credential stuffing is one of the most common types of cyberattacks and can be the first step toward an even more damaging incident. Read on to learn how to prevent credential stuffing with robust security measures and comprehensive customer journey data analysis.

What is credential stuffing?

Credential stuffing is a cyberattack in which a bad actor uses a computer program to automate account login attempts using hundreds or thousands of stolen usernames and passwords. Attackers can exploit commonly available web automation tools or specifically designed hacking tools to rapidly try credentials against a list of target sites, hoping to find the one that lets them in.

How are credentials leaked?

Fraudsters will look for any opportunity to steal login information which could give them unauthorized access to user accounts. Credentials can be compromised through various methods including:

• Data breaches
• Phishing
• Malware
• Weak passwords
• Social engineering
• Insider threats
• Unsecured Wi-Fi networks
• Accidental exposure

Unfortunately, 61% of Americans have had their personal data stolen at some point in their lives. Frequently, the stolen data winds up on databases that are then put up for sale on the dark web and bought by cybercriminals who use them in credential-stuffing attacks.

Why is credential stuffing significant?

With so many accounts, apps, and services requiring usernames and passwords, people often reuse the same credentials over and over. According to Google, 52% of users reuse the same password for different accounts, and 13% reuse the same password everywhere. This increases the chances that a hacker could gain access to multiple applications with one trove of stolen credentials.

Credential stuffing attacks are depressingly common and account for 91% of all login attempts to eCommerce websites. In 2022, the FBI discovered two publicly accessible websites selling 300,000 sets of credentials stolen in credential-stuffing attacks. The sites had over 175,000 registered customers.

These attacks can have serious consequences for both customers and businesses including:

• Identity theft
• Fraud
• Financial losses
• Reputational damage
• Financial penalties
• A chain of data breaches caused by password reuse

Real-life credential stuffing attack examples

Hackers have successfully used credential-stuffing attacks against a wide range of businesses and organizations. Each attack causes damage and creates victims, but it’s critical to learn from the unlucky experiences of others. Some high-profile targets have included:

• 23andMe

In 2023, a bad actor stole the personal genetic information of 6.9 million individuals using credential stuffing attacks and then gained access to connected accounts via the application’s “DNA Relatives” features.  

The company now has dozens of pending class action lawsuits, investigations by multiple U.S. state attorneys general, and a joint consumer data privacy violation probe led by Canada and the U.K. As of this writing, the company is under threat of delisting and has indicated in recent filings that it is considering a go-private stock buyback.

• Change Healthcare

Change Healthcare, a subsidiary of the UnitedHealth insurance company, was targeted by a massive cyber attack in early 2024, potentially exposing the personal information of a “substantial portion” of the US population.

The hackers used compromised credentials to breach company accounts and install ransomware onto the company’s system. While as of this writing, the details of this attack are continuing to emerge, the immediate cost was $22 million, mostly paid as a ransom to regain control over the lost system.

Following the incident, shares in UnitedHealth also took a hit to the tune of $872 million. The company CEO, who was eventually hauled in front of US Congress, admitted that the lack of multi-factor authentication (MFA), a relatively simple security measure, enabled the attack.

• Roku

In April 2024, it was reported that 591,000 Roku accounts had been compromised by yet another credential-stuffing attack. Cybercriminals were able to gain access to accounts and make unauthorized purchases using stored payment information.

Roku suggested the attack was the result of users reusing passwords from other sites. “There is no indication that Roku was the source of the account credentials used in these attacks,” the company said. In an unusual move, Roku made MFA mandatory for all accounts in an attempt to reduce future attacks.

• Paypal

In 2022 35,000 PayPal customer accounts were breached when hackers used compromised credentials to gain unauthorized access. PayPal responded by immediately resetting the passwords of affected accounts and implementing enhanced security features.

In the fallout, some blamed users for re-using passwords, while others pointed out that MFA was not enforced by default.

• Ticketfly

In one of the most catastrophic attacks to date, in 2018, the popular event booking site known as Ticketfly had to shut down after its website was hacked. Users attempted to log in but instead of getting access to their accounts, they were met with an image of the anarchist anti-hero from “V for Vendetta”.

The attack exposed the private account data of millions of users and made it available for download. The site was closed permanently less than 6 months later and is no longer accessible on the web.

Detecting and preventing credential stuffing as an organization

Although users reusing passwords from other sites can leave your organization exposed to credential stuffing, there are strategies and tools you can employ to detect and stop this threat before it damages your company. Let’s look at how to prevent credential stuffing effectively.

Here are the most important steps to take include:

• Enforce robust passwords and multi-factor authentication (MFA)

A secure password policy should require a minimum length of 12 characters and a combination of uppercase and lowercase letters, numbers, and special characters. Passwords should be unique for each account and avoid using personal information.

Even stronger protection can be provided by passphrases that consist of a series of random words that are easy to remember but difficult to guess. Regular password and passphrase changes, such as every 90 days provide additional security.

Multi-factor authentication helps you avoid the risks of credential stuffing by requiring an extra layer of verification beyond just a username and password. MFA involves users providing two or more distinct forms of identification to access an account or system, such as a password plus a physical token or a code sent by email, SMS, or to a mobile app. This makes it much harder for attackers to gain unauthorized access, even if they have stolen login credentials.

• CAPTCHAs and other security measures

CAPTCHAs can protect your online login forms from credential stuffing by making it more difficult for automated bots to enter information. While there are multiple ways to defeat CAPTCHA, today it can still serve to slow down credential-stuffing attacks.

Additionally, you can implement IP address blocking after a certain number of failed attempts. This effectively stops hackers from being able to try thousands of usernames and passwords in rapid succession.

• Online fraud detection software

Fraud detection or credential stuffing detection software can be used to monitor user behavior and detect unusual or suspicious activity. This enables your business to quickly identify and respond to potential attacks, limiting the damage of credential stuffing attempts.

• Attack detection and impact mitigation solution

The Spec platform offers effective credential stuffing detection and mitigation that can detect the attack signatures of credential stuffing attacks by analyzing activities via customer journey data.

Spec can then take action that mitigates impact, honeypots attackers, and disrupts their data collection, discouraging them from returning to the application.  

Learn more about Spec’s customer journey data platform

While most traditional online fraud detection systems attempt to stop credential stuffing via bot detectors and API-based fraud detection tools, these approaches often fall short as cybercriminals have already devised workarounds, such as employing proxy IPs and AI agents to mask their activities.

In contrast, Spec’s customer journey platform detects fraudulent activity, then takes mitigating action via alternative journeys and honeypots. By providing an end-to-end view of each journey, from pre-login to post-transaction, Spec empowers you to swiftly identify compromised accounts and take proactive measures that protect good customers, brand reputation, and revenue.

The Spec no-code platform operates at the network edge, allowing deployment in a matter of hours without engineering resources, and doesn’t have the same data leakage vulnerabilities of API-based fraud tools. Spec also offers data orchestration capabilities, enhancing the investments your team has made in your current fraud stack.

To learn more about how to safeguard your revenue, maintain customer trust, and gain peace of mind, discover how Spec helped crowdfunding platform Indiegogo prevent account takeovers that previously led to costly chargebacks. Read the full Indiegogo case study now!