Home » Credential Stuffing: What it is and How to Stop it

Credential Stuffing: What it is and How to Stop it

What Is Credential Stuffing?

Credential stuffing is a cyberattack where hackers use stolen usernames and passwords from one website to gain unauthorized access to other websites. Bad actors use automated bots to rapidly input these credentials, exploiting the tendency of users to reuse passwords across multiple platforms.

Diagram showing how attackers access legitimate user accounts

An Escalating Cyberattack, Exacerbated by Bots

Credential stuffing attacks are a widespread problem with almost limitless consequences for businesses and consumers. They are a rising threat for two primary reasons:

  1. The broad availability of data from massive, breached databases (think billions of username/password combinations)
  2. The presence of sophisticated bots that simultaneously attempt several logins and appear to originate from different IP addresses. These bots can often circumvent simple security measures like banning IP addresses with too many failed login attempts.

Credential theft is not a one-and-done type of attack; the ramifications of an attack can be devastating for businesses and consumers alike.

How Credential Stuffing Works

Attackers acquire usernames and passwords through website breaches, phishing attacks, or data dumps of breached information. They use automated tools to test these stolen credentials on multiple websites, such as social media sites, financial/banking websites, e-commerce websites, or apps. If a login is successful, attackers know they have a valid set of credentials.

At this point, the attackers may drain stolen user accounts of stored value, access sensitive information such as credit card numbers, medical records, private messages, pictures, or documents, use the account to send phishing messages or spam, or sell known-valid credentials to other attackers.

Flow chart illustrating how unauthorized access originates and proliferates

Credential Stuffing vs Brute-Force Attacks

Credential stuffing is a type of brute-force attack and is also sometimes called password stuffing. But there is an important difference between credential stuffing and a traditional brute-force attack, which tries to figure out passwords without any context or hints. A strong password with uppercase letters, numbers, and special characters is a good way to protect yourself from traditional brute-force attacks.

However, credential stuffing uses sensitive data that has been made public through a breach, which means even the strongest password is weakened when a person uses it for multiple websites or apps. A credential stuffing attack can compromise these credentials, no matter how strong they are.

$1M Credential Stuffing Warranty
$1M Credential Stuffing Warranty
How to Prevent Credential Stuffing during Authentication

Individual users can help prevent the misuse of their credentials with best practices such as:

  • Using a password manager to generate a unique, strong password for every website or service visited
  • Enabling two-factor authentication (2FA) whenever possible
  • Routinely checking sites like have i been pwned to see if their email address is in a data breach

For businesses, the answer is a bit more complicated.

A company can suggest that its customers use unique passwords, but it can't force them to do so. Some applications will check a submitted password against a database of known compromised passwords before accepting it. However, this isn't foolproof because the user could be reusing a password from a service that hasn't yet been compromised.

Many businesses try to prevent password stuffing attacks by adding more cybersecurity features to logins, including multi-factor authentication (MFA) and/or traditional CAPTCHA challenges. But these also have limitations. MFA can be compromised by Man in the Middle Attacks, and traditional CAPTCHAs are ineffective. Bots can maneuver around these tests, forcing security teams to up their protection measures, which can lead to the blocking of good traffic and a decrease in overall web traffic and revenue.

Other forms of prevention include:

  • Device fingerprinting: JavaScript is used to gather information about user devices and create a "fingerprint" for each incoming session. The fingerprint is made up of identifiers like the operating system, the language, the browser, the time zone, etc. If the same set of parameters is used to log in more than once in a row, it may indicate a brute force or credential stuffing attack.
  • IP blacklisting: Attackers usually only have a small number of IP addresses to use, so blocking IPs that try to log into multiple accounts is another way to stop them. To minimize false positives, you can keep track of the last few IPs that were used to log into a particular account and compare them to the suspicious IP.
  • Rate-limit sources of non-residential traffic: Traffic coming from commercial data centers is easy to spot. It is almost certainly bot traffic, which means it must be looked at differently than regular user traffic. Set strict rate limits and block or ban IPs that behave in strange ways.
  • Restricted headless browsers: The JavaScript calls used by headless browsers make them easy to spot. These browsers aren't real users, and they may indicate suspicious behavior.
  • Don't allow email addresses to be used as usernames: If your organization doesn't allow people to use an email address as their account ID, they are less likely to use the same username and password on another site.

The most effective defense against these types of cyberattacks is a robust bot management solution like Arkose Bot Manager. It’s a holistic approach that includes device fingerprinting, IP reputation checks, behavior biometrics, and MatchKey Challenges, a revolutionary new type of CAPTCHA that bots cannot defeat. The bot detection and mitigation platform sits on all consumer flows and orchestrates dynamic responses tailored to each attack pattern. 

Additionally, Arkose Labs is the only provider to offer a $1 Million Credential Stuffing Warranty. Either we stop the attacks or we cover the loss!

Want to learn more about Arkose Labs? Book a demo today!


Credential stuffing is a subset of account takeover attacks, a type of cyberattack where black hat hackers constantly try different username-password combinations until a valid match is found. They deploy bots to scale up the attacks at reduced costs. With consumer information readily available to criminals for purchase — due to personal information being exposed from years of data breaches — credential stuffing has come to play a key role in carrying out account takeover (ATO) attacks.

It is called this because of the hacking technique that cybercriminals employ. Using stolen passwords, attackers are able to unlock multiple accounts since people often engage in password reuse across digital accounts and websites. Credential stuffing is related to password stuffing and brute force attacks.

Credential stuffing makes use of real consumer data that has been exposed due to years of data breaches, whereas in brute force attacks, attackers try to guess passwords using random characters and password suggestions. Since credential stuffing attacks use real data, the probability of arriving at valid credentials is higher than in brute force attacks.

There are many reasons why global brands trust Arkose labs in their fight against credential stuffing. Here are five:

  1. Arkose Labs is the only vendor in the world to offer a fully insured credential stuffing warranty, where our partners get up to $1million loss recovery.
  2. Reduction in business risk exposure with a 48-hour remediation guarantee.
  3. Rapid remediation of bot attacks while maintaining a completely user-centric approach.
  4. Always-on monitoring and optimization of the partner’s traffic for an ever-vigilant protection.
  5. Commitment to work closely with our partners and help them confidently stand up to the challenge of cyber threats.

Credential stuffing makes use of real consumer data that has been exposed due to years of data breaches, whereas in brute force attacks, attackers try to guess passwords using random characters and password suggestions. Since credential stuffing attacks use real data, the probability of arriving at valid credentials is higher than in brute force attacks.