Credential Stuffing

The Full Economic Cost of Credential Stuffing Attacks

October 20, 20214 min Read

credential stuffing

Credential Stuffing attacks are one of the fastest-growing issues in the fraud landscape and something that affects all businesses and consumers. They are rising in both severity and frequency, and are popular among fraudsters because they are relatively cheap and easy to launch.

Credential stuffing attacks cost businesses and consumers billions of dollars per year. For fraudsters, however, they are a goldmine. That’s because the tools they use to launch these attacks at scale are cheap to come by, meaning they can launch a massive amount of attacks for little cost and only need a small percentage of them to be successful in order to turn a profit. 

This is also a good entry point for the enterprising person looking to start a career in fraud. Years of massive data breaches have made it easy to acquire combo lists of usernames and passwords. The tools to launch these attacks at scale are readily available and there are even YouTube tutorials on how to run them. There is no need to write code or create your own infrastructure. 

The Economics of Credential Stuffing

Credential stuffing attacks are a financial drain on businesses. In addition to the costs associated with remediating the attack itself, there are numerous burdens placed on operational efficiency as well as quantifiable and unquantifiable downstream costs. 

Direct losses include the immediate costs related to remediating and restoring user accounts and -- if applicable -- restoring any funds that were stolen from the attack. 

Operational costs include factors like an increased number of calls to contact centers, increased burdens on compliance and legal teams, and more manual reviews and implementation of more security protocols. In fact, larger companies can spend upwards of $2 million per year in call center costs helping companies reset passwords. 

Meanwhile, businesses suffer irreparable harm to brand experience from these attacks, as customers cease to do business with the company and voice their complaints on social media. Large enough breaches can even lead to negative PR and news stories. 

How Fraudsters Monetize Credential Stuffing Attacks by Industry

Financial Services/Fintech:

These are typically the most valuable accounts for fraudsters to target. In fact, credential stuffing attacks accounted for the greatest volume of security incidents against the financial sector at 41% of total incidents. 


Attackers hack into accounts to steal digital goods and items to resell to other gamers on gray market forums; this is known as real money trading. They also use these compromised accounts to use cheats or hacks to gain advantages in-game. 


With travel sites, fraudsters are mostly looking to use loyalty points to buy hotels, airfare, car rentals, and cruises, sometimes for personal use but usually to then resell on a third-party platform. 

Social Media:

Fraudsters use these accounts for reasons other than direct monetization, such as to send spam and phishing messages to real users on the platform, to spread disinformation, or to artificially “like” other accounts they may be associated with.

Streaming Services:

With streaming media services, fraudsters’ goal is to launch credential stuffing attacks at scale to gain access to as many accounts as possible and resell access to others. 

Long-Term Deterrence Against Credential Stuffing

Since these attacks are so costly, Arkose Labs offers all customers a full warranty against credential stuffing attacks. 

Businesses have come to expect that they won’t get any guarantees from the technology vendors they work with. But Arkose Labs is willing to stand behind the efficacy of our platform and demonstrate how vested we are in our client’s success. 

Our warranty provides commercial assurance that Arkose Labs will deliver the most robust protection against credential stuffing attacks available on the market today. This offering is baked into our top-tier Professional Services agreement as part of the commitment to work hand-in-hand with businesses to ensure the rapid remediation of attacks. 

Credential stuffing has too long been a bane to businesses, draining revenue and harming the customer experience. Arkose Labs aims to end this scourge and be a true partner with our customers, and end the bane of credential stuffing attacks.