by peter


Credential Stuffing Explained


Risk Rating: HIGH
Likelihood: 4/5
Impact: 4/5


  • Poor login controls
  • Lack of login velocity controls
  • Lack of login limitatons
  • No Geofencing controls
  • Lack of detection of compromised accounts

Credential Stuffing Overview

Consider the two Yahoo breaches reported in 2016. A total of 1.5 billion credentials were spilled to the Internet, protected by the weak MD5 hashing algorithm. The thefts took place in 2012 and 2013, giving the criminals up to four years to crack weak protection. Occurrences like this mean that criminals have vast troves of legitimate user credentials — and user password recycling means that many will have been used on other accounts. “The sheer scale of the credential theft and also the prevalence of Yahoo users’ accounts suggests that these stolen credentials have been benefiting cybercriminals over the past few years,” suggests the Shape report (PDF).

2019 was not the year for Fort Lauderdale-based Citrix Systems, which found itself neck deep investigating a major network breach that had occurred the previous year, resulting in stolen business documents by hackers. The FBI believed the breach was sourced for “password spraying,” otherwise known as credential stuffing — an attempt by hackers to remotely access a large number of accounts at once. According to a form 10-K filing to the U.S. Securities and Exchange Commission, Citrix believed the perpetrators tried to infiltrate company systems to access content collaboration customer accounts.

What you need to know

With credential stuffing, cybercriminals will use stolen account credentials — often usernames and passwords procured from a data breach — to access additional accounts by automating thousands or millions of login requests directed against your web application. They want to access your sensitive accounts the easy way — by simply logging in. It works because they rely on you or your colleagues reusing the same usernames and passwords across multiple services. If they’re successful, one credential can unlock accounts that house financial and proprietary information, giving them the keys to almost everything.

Detecting credential stuffing attacks is easy if you are looking for it. Either set up some scripts to alert your security team or make sure your outsourced SOC as a Service is going to detect those attacks.

Defending against credential stuffing attacks is really very easy so it is rather surprising that these attacks work. The first thing you want to do is limit the number of log in attempts from a given browser fingerprint. You also want to regularly check every users password hash to make sure it is not listed in any password dumps. If it is, the user should be forced to change that password. And the final step, the ultimate defense, is to use two factor authentication.

How the attack happens

Hackers only need access to login credentials, an automated tool and proxies to carry out a credential stuffing attack. Attackers will take a cache of usernames and passwords, gleaned from massive corporate breaches, and by using automated tools, essentially “stuffing” those credentials into the logins of other sites.

The attack is so simple that it is something we do in every one of our penetration tests where a client does not specifically out of scope it.

Attack Sources

Proxies mask the location of credential stuffing attackers, making it challenging to detect their location. But you’ll find them all over the world, especially in organized cybercrime hotspots. Often, attackers will be individual and organized hackers with access to dedicated account-checking tools and numerous proxies that prevent their IP addresses from being blacklisted. Less sophisticated perpetrators may end up giving themselves away by attempting to infiltrate a large number of accounts via bots, which results in an unexpected denial-of-service-attack (DDoS) scenario.