Credential stuffing is a cyber attack technique whereby an attacker uses compromised credentials or login information on different services in order to gain unauthorized access into a user’s other accounts.
When carrying out the credential stuffing, attackers are counting on the fact that users tend to reuse the same usernames and passwords on various different platforms. This has been proven in a number of different studies. For example, the 2018 Global Password Security Report states that up to 50% of users use the same passwords for their personal and work accounts, while an online security survey conducted by Google in 2019 found that 65% of users use the same password for multiple or all accounts.
Therefore, if an attacker is able to obtain login credentials from one site, application or service, they can attempt to “stuff” those same credentials into different places, one after another, to test for successful logins. So, while a user may not be so concerned about hackers obtaining their login information for an online forum or streaming service, for example, it could become a more serious issue if the same password is also used for things like bank logins or for accessing corporate systems.
When successful, the attacker can gain access to the credentials and sensitive information across the different systems.
This form of attack can be scaled further using multiple bots to automatically log into multiple user accounts in parallel, using a larger number of credentials across a wider array of sites, applications or services.
Adding to the problem is that cybercriminals can readily obtain massive databases of stolen passwords and breached credentials, shared within the hacker community or even sold over the dark web.
Although this technique can be under the umbrella of brute force attacks, credential stuffing has a higher success rate and faster attempts. This is because credential stuffing uses existing login information, whereas brute force attacks lack context as it relies on random strings or a predetermined value like dictionary words.
To avoid being a victim of such attacks, the best method is to use unique passwords for all your logins, or a password manager. You can check on some websites if your credentials have been compromised. Last but not least, you can increase the level of security for your accounts by using multi-factor authentication.