Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords (often from a data breach), and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application.[1] Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number (thousands to millions) of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.[2][3]
Credential stuffing attacks are possible because many users reuse the same username/password combination across multiple sites, with one survey reporting that 81% of users have reused a password across two or more sites and 25% of users use the same passwords across a majority of their accounts.[4] In 2017, the FTC issued an advisory suggesting specific actions companies needed to take against credential stuffing, such as insisting on secure passwords and guarding against attacks.[5] According to former Google click fraud czar Shuman Ghosemajumder, credential stuffing attacks have up to a 2% login success rate, meaning that one million stolen credentials can take over 20,000 accounts.[6] Wired Magazine described the best way to protect against credential stuffing is to use unique passwords on accounts, such as those generated automatically by a password manager, enable two-factor authentication, and to have companies detect and stop credential stuffing attacks.[7]
The most popular credential stuffing tool, Sentry MBA, uses 'config' files for target websites that contain all the login sequence logic needed to automate login attempts