Social Media
Government
Streaming
Online Delivery
Finance
iGaming
E-commerce
Travel
Ads
Healthcare
Account takeoverPreventing unauthorized logins
Multi-accountingPreventing duplicate accounts
Data scrapingSafeguarding sensitive business data
API AbuseDetecting abnormal API activity
Account sharingIdentifying shared accounts
Fake accountsBlocking fake registrations
Brute force attackBlock automated credential attacks
Form spamFiltering automated submissions
Coupon fraudPreventing promo exploitation
SMS pumpingMitigating SMS-based fraud
Industries
Use Cases
DocumentationBlogPricing
Log in
Start for Free
Back to blog

What is a Credential Stuffing Attack? Examples & Mitigation

Credential stuffing is a widespread type of hacking attack. It means that malicious actors get hold of third-party login credentials for various websites and apps. They insert the stolen information on sign-in pages to gain access to accounts that belong to others. They try various login and password combinations at a very high speed — literally stuffing credential data.

Credential cracking is another common term for this phenomenon. It’s close to stuffing by its essence but isn’t 100% synonymous with it. We’ll explain the difference between the two approaches in the dedicated passage of our article.

Credential stuffing and credential cracking attacks can lead to substantial damage. Companies can lose large amounts of money and their reputation might get seriously tarnished. Marriott, the renowned hotel network, and Zoom, the video-conferencing solution that became a massive hit during the pandemic, once were among the victims of this cybercrime variety.

In this text, we’ll specify the essence of credential cracking and credential stuffing attacks. We’ll provide their brief historical background and share real-life cases of companies that failed to protect their customers’ accounts. Plus, we’ll explain how our BotBye! solution can protect you against hackers who specialize in stuffing credential data.

Role of Automation in Credential Stuffing

Stuffing credential details manually would take too much time and effort. That’s why hackers leverage bots for this purpose. The former feed the latter with logins and passwords from the databases that they buy on the black market.

Such bases can contain information about thousands of users and their prices tend to be affordable. Of course, hackers can collect other people’s logins and passwords themselves to use them for credential stuffing. However, it’s cheaper and easier to purchase ready-to-use data collections.

Historical Background of Credential Stuffing Attacks

Credential stuffing attacks have been around for a decade. In 2014, darknet users came across the first offers of profile solutions. The cheapest tools capable of stuffing credential data cost around $50 back then. Their most advanced counterparts were around five times more expensive. Typically, such solutions were designed to hack a particular website or app.

First, the credential stuffing tool would validate the combination of logins and passwords. Second, the malicious actor would have to purchase a dedicated solution to gather the information about the targeted account. This is how things worked in the second half of the 2010s.

By today, the process has become much simpler. The overall investments in the credential stuffing pack can be as low as $500. Such a sum is enough to purchase the following:

  • Databases with people’s logins and passwords
  • Tools that insert login and password combinations on sign-in pages
  • Access to proxy services that disguise the hacker’s whereabouts

Modern credential stuffing instruments are fast and powerful. They can target multiple resources at once, trying to insert hundreds of thousands of combinations.

Credential stuffing attacks take place every day. According to statistics, over 90% of global e-commerce login traffic accounts for them.

Essence of Credential Cracking

As said above, credential cracking attacks are similar to their credential stuffing counterparts but are not entirely identical to them. Credential cracking relies on brute force. Instead of employing a smart approach typical of credential stuffing, the hacking tool primitively tries multiple combinations of login and password pairs. This method works well with simple passwords — that is, passwords that meet at least one of these criteria:

  • Contain personal details of the account owner
  • Feature fewer than a dozen characters
  • Are a dictionary word

Millions of people don’t bother to invent complex passwords. Maybe, it’s just carelessness. Or, they might be unaware of the potential consequences. The easier it is to guess your password, the better for cybercriminals who leverage stuffing credential data.

Real-Life Cases of Credential Stuffing and Credential Cracking

On the Internet, you can find dozens of examples of successful credential stuffing and credential cracking attacks on various well-known businesses. Here, we’d like to concentrate on two cases.

The first one was related to Dunkin’ Donuts and took place in 2019. This company has a DD Perks reward program. Its members earn points that grant them access to free drinks and special offers. Hackers resorted to stuffing credential data to steal bonus points from the clients. They managed to access over 1,000 accounts out of 10 million existing ones.

Soon after that, Disney+ fell prey to credential stuffing. This streaming service was about to be launched and the brand’s audience heartily anticipated it. To people’s dismay, their logins and passwords became available for sale on the darknet almost immediately after the streaming went live. Credential stuffing professionals stole customers’ details from the Disney+ website. By the way, we have a dedicated article about web scraping where we explain how hackers steal data from third-party websites and how to prevent it.

As you see, even famous global businesses suffer from credential cracking and credential stuffing attacks. It’s obvious that all organizations should protect themselves from these threats.

Benefits of Credential Cracking and Credential Stuffing Attacks, from Hackers’ Position

Credential cracking and credential stuffing attacks can deliver substantial profit to their initiators. When a hacker enters an account that doesn’t belong to them, it’s known as an account takeover. Depending on which site or system this account is associated with, the hacker can get hold of a third party’s private data, funds, and other assets.

The most common purpose for credential stuffing and credential cracking is stealing money. Imagine that a hacker gets to know the number and other details of someone else’s credit card. Here is what they can do with it:

  • Use the card to pay for goods or services that they want for themselves
  • Sell the card’s details on the darknet so that others can leverage them

Malicious actors often practice credential stuffing for bank cards during the main shopping holidays. Otherwise, they may know that a specific website is experiencing a traffic spike — it’s a good time for credential stuffing because the account takeover attempts will be likely to pass unnoticed.

Alternatively, hackers can steal people’s private data instead of money. They might leak this information online so that anyone can access it for free — or sell it to other cybercriminals.

Organizations that fail to protect themselves against credential stuffing and credential cracking attacks can face the following consequences:

  • Lose a part of their client base forever
  • Lose their products irretrievably
  • Pay fines charged by the regulatory bodies
  • Pay card processing fees, chargebacks, and other expenses related to fraudulent operations
  • Slow down their growth and development because their departments have to fix the cybercrime consequences

Hackers who practice stuffing credential data can attack any business that has a sign-in page. However, their preferred targets belong to the following sectors: e-commerce, retail, social media, finance, IT, transportation, travel, and restaurants.

Mechanisms of Credential Cracking and Credential Stuffing Attacks

One of the reasons why credential stuffing and credential cracking attacks often succeed is people’s carelessness. To access 98% of all user accounts in all systems and services, it’s enough to try only 10,000 most frequently used passwords. For a tireless bot, 10,000 is not a big deal. To make the process of stuffing credential data even simpler, over 80% of individuals use identical passwords for their accounts in various services. Here is how most credential cracking attacks unfold:

1. The hacker builds or buys one or several bots. Often, the bots mimic organic human behavior and rely on multiple IPs, scattered around the world.

2. For a while, the bot will be busy stuffing credential data – that is, trying to break into people’s accounts. It might be able to target many web pages simultaneously. When the bot reaches its goal, this is known as an account takeover (ATO). We have an informative article about ATO on our website – feel free to check it!

3. Inside the account, the bot will complete the actions that its owner pre-programmed into it. For instance, it can make a purchase, using the victim’s money. Or, it can extract the person’s ID details and payment details to a database.

4. At the end of the credential stuffing session, the hacker can obtain large amounts of stolen data. They can put it on sale on the darknet or use it themselves for further nefarious purposes.

So, that was credential stuffing. With cracking, the scheme is largely similar. The only difference is that the bot won’t try to break into the account using stolen passwords. Instead, it will be trying the most common and obvious passwords one by one.

Aftermaths of Unsuccessful Credential Stuffing and Credential Cracking Attacks

We already explained the essence of successful credential stuffing and credential cracking attacks. Now, let’s have a look at the consequences of the attempts that fail:

  • When bots are stuffing credential data into your sign-in page, they consume the bandwidth that you pay for. If the bots account for around 3% of your traffic, you won’t lose too much on them. However, credential stuffing attempts can consume over ⅔ of your traffic. In this case, your server capacity will skyrocket. It would be much wiser to let genuine clients use this bandwidth.
  • Credential stuffing can increase your website’s or app’s downtime. Your business will remain inaccessible to genuine customers for too long. They might lose patience and switch to your competitors.
  • Even if credential stuffing doesn’t cause downtime, your site or app might slow down. This can make your audience suspicious. It’s especially disturbing when the sign-in page reacts too slowly or the pages where people need to share their payment details. Again, your clients might leave and never come back.

Last but not least, if a hacker is stuffing credential data into your system right now, they might succeed sooner or later. It’s absolutely necessary to stop such attempts as soon as you detect them.

Credential Stuffing Symptoms

When a malicious actor is stuffing credential data into your website or mobile app, you might notice the following symptoms:

  • Your website or mobile app goes down because of a suspicious traffic spike
  • Too many users try to sign in from different devices and/or unusual locations
  • The login-failure rate is higher than usual

This list is not exhaustive. Hackers who practice credential stuffing regularly come up with new tools and techniques. They do their best to remain unnoticed for as long as possible.

Many credential cracking and credential stuffing attacks pass below the radar for business owners and managers who lack tech expertise. That’s why it’s vital to hire or outsource a team of skilled IT professionals who will be continuously monitoring the situation. Plus, it’s crucial to deploy an advanced solution against credential stuffing — such as BotBye!.

Prevention of Credential Stuffing Attacks

Years ago, security software used to take IP reputation into account. If a user had never been engaged in any malicious activities, their IP address wasn’t classified as a risky one. And vice versa, if an IP address was compromised once, that was a reason to include it in a blacklist. Hackers who specialized in stuffing credential data realized it well. They began to attach credential stuffing bots to IP addresses with impeccable reputations. This move made bot identification more challenging. Cybersecurity experts had to switch to a more advanced approach to discovering malicious actors. By the way, we have an informative article about bot detection.

Here are the most efficient methods that can help you detect and prevent a credential stuffing or cracking attempt:

  • Remind your clients about the necessity to invent strong and unique passwords. You can prevent your sign-up form from accepting weak passwords. This measure should be unlikely to turn off a large number of new users.
  • Enable a multi-factor authentication (MFA) for accounts. You may try to make it mandatory – but mind that not everyone likes it. Some customers can consider it undesirable interference and leave your website or app.
  • Monitor your IP for signs of a proxy service, which can be a symptom of credential stuffing. Look for an IP with varying subnets.
  • Ask your IT team to analyze the previous cybercrime attempts that targeted your organization. Identify their patterns and stay on the alert against them.
  • Teach your employees to detect credential stuffing and take the basic measures against it without delays.
  • Most importantly, deploy a dedicated solution that will help you combat credential stuffing – such as our BotBye!.

A robust protective solution can detect when a bot is stuffing credential data, based on the analysis of its behavioral and technical specifics. It will easily tell an automated tool from a well-intentioned human. Your genuine customers will have a pleasant experience on your website or in your app.

As soon as the solution identifies the fact of stuffing credential data, it can block the bots immediately. Alternatively, it can avoid taking action and warn you instead. It will be up to you to decide how to react to the attack. You’ll be able to pre-program the software for the right way of action before it begins to perform its duties.

Employ BotBye! to Prevent Credential Cracking and Credential Stuffing Attacks

Our BotBye! solution can protect you from credential stuffing across all your systems, products, websites, APIs, and applications. Besides, it can also combat account takeover, fake account creation, and web scraping. On our site, you can find comprehensive articles on all these issues.

BotBye! will check the behavior of all your visitors, precisely differentiating genuine users from automated tools. It won’t allow data or money thefts and it will boost the overall security of your product. Thanks to it, your website, API, or app will always boast top performance. You’ll get insightful reports about your traffic, which can serve analytical purposes.

BotBye! can prevent credential stuffing for organizations from all industries, be it remote learning, medicine, or banking. It smoothly integrates with many other technological solutions and you can quickly deploy it on your existing infrastructure. Your developers will appreciate its user-friendly documentation and intuitive APIs. BotBye! is available in two versions: cloud or on-premise.

Feel free to sign up for BotBye! right now! Our product will efficiently protect your business against credential stuffing and cracking.

Back to blog