Credential Stuffing Attacks: What They Are and How to Stop them

What is a credential stuffing attack?

A credential stuffing attack refers to automated matching of stolen usernames and passwords to find valid combinations of login credentials. It is the fuel that powers account takeover attacks and often precedes them. 

Credential stuffing attacks constituted one-fifth of all the attack types monitored on the Arkose Labs’ network during 2021, and nearly 5% of all digital traffic overall is a credential stuffing attack. This rise in credential stuffing attacks is due to continuous pilferage of consumers’ personal data through frequent incidents of data breaches as well as consumers’ recycling and reusing their passwords across digital accounts. This means if attackers can access a valid username-password combination, which a consumer uses across multiple digital accounts, all these accounts can be easily compromised. 

Credential stuffing attacks are becoming commonplace

Credential stuffing attacks are prevalent across industries. Advanced bots with human-like capabilities are easily and cheaply available – often, also with support services. This makes it easy for attackers to execute large-scale bot-driven attacks at the lowest possible costs.

Furthermore, attackers possess knowledge about common fraud defense techniques and use this information to fool these systems. Once they are able to breach a network, they can move around internally, exploiting and disrupting business operations.

Commonly used techniques to prevent credential stuffing attacks

It goes without saying that credential stuffing attacks pose a big challenge to users’ account security. Businesses would do well to take preventive measures to counter this growing threat. Some of the common techniques that businesses are using to counter credential stuffing attacks include:  

  1. Blocking IPs: Many businesses resort to blocking IPs on account of suspicious activity, while some quarantine such requests for further review.
  2. CAPTCHAs: A common bot detection technique to prevent bot-driven attacks, CAPTCHAs require users to solve a puzzle when they try to log into their digital accounts. CAPTCHAs are available in different versions namely: text, audio, picture, math, and so forth.
  3. Multi-factor Authentication: MFA provides an extra layer of authentication using an additional piece of information, which the user is, knows, or possesses. It could be an SMS, OTP, answer to a security question, or biometric parameter such as fingerprint.
  4. Behavioral biometrics: Businesses are trying to detect suspicious activity using typical user behavior and analyzing traffic patterns. They track data to spot anomalous behaviors and manipulation.
  5. Device fingerprinting: Device intelligence – IP address, operating system, browser type, and so forth – help create a unique identity associated with a specific device. Deviation from these parameters raises suspicion and informs decisioning to introduce additional authentication mechanisms.

The shortcoming of these techniques

In an effort to protect themselves and their users from the onslaught of credential stuffing attacks, businesses are using several of these defense methods – either standalone or in combination. However, these techniques have shortcomings that prove inadequate in providing long-term protection against evolving fraud types.

Besides integration problems, these different solutions add to technical debt and complicate risk-decisioning, which further obstructs efficient fraud prevention. For instance, MFA is not only a costly proposition but also prone to delayed or non-delivery of SMS/OTP. Blocking users based on changes in behavior can lead to filtering out of genuine customers. CAPTCHAs have not kept pace with evolving bot technology and have largely been rendered obsolete. Instead of stopping bots, they end up adding unnecessary friction to good users. Device profiling as a standalone solution for identity proofing of devices is no longer practical as most users have multiple devices and browsers they use.

Look beyond mitigation, think deterrence

In an era when the challenge of credential stuffing attacks is continuously rising, businesses cannot afford to absorb mounting remediation costs. Credential stuffing attacks don’t cost attackers much, but they leave businesses reeling under financial and reputational losses. Therefore, businesses must look beyond mitigation and think deterrence. They need a fresh approach to fraud deterrence that provides them with long-term protection against evolving attack tactics.

Arkose Labs is a trusted partner for global brands when it comes to effective protection against credential stuffing attacks. Arkose Labs bankrupts the business model of fraud and erodes the ROI from credential stuffing attacks to make them financially not worthwhile. Furthermore, Arkose Labs’ industry-first $1M credential stuffing warranty provides our customers with an economic cover of up to $1M for remediation costs.


Although credential stuffing attacks resemble brute force attacks, the former uses real user credentials that are stolen or scraped. In brute force attacks, however, attackers try to guess passwords using random characters and password suggestions.

Credential stuffing attacks primarily have three steps namely: data harvesting, credential matching, and monetizing the attack. Attackers use bots to automate the validation process of stolen username and password combinations. These bots can match thousands of usernames and passwords to arrive at valid combinations in no time. This enables attackers to scale up the attacks and increase ROI.

The commonly used techniques to fight credential stuffing attacks include IP blocking, CAPTCHAs, multi-factor authentication (MFA), behavioral biometrics, and device profiling. However, these techniques have their own shortcomings and do not provide the level of protection from credential stuffing attacks that today’s digital businesses need.

Arkose Labs is the preferred partner for global businesses fighting the onslaught of credential stuffing attacks. This is due to the long-term protection from these attacks without disrupting user experience.

Arkose Labs uses targeted friction to authenticate all incoming users, without the need to block anyone. Combining real-time, risk-based decisioning with adaptive step-up enforcement challenges, the Arkose Labs platform ascertains whether or not fraudsters have been able to corrupt a good user’s digital footprint. 

Based on real-time analysis, the platform classifies and triages incoming traffic and accordingly presents an enforcement challenge. These challenges interact with and engage suspicious users in a long-drawn battle to drain their resources, efforts, and time; in the process eroding the returns from the attack and forcing attackers to move on. To ensure future-proof protection from credential stuffing attacks, feedback from each user session informs the risk engine to help continuous improvement for future predictions.

And that’s not all. Arkose Labs provides 24/7 SOC support in addition to the industry-first $1M credential stuffing warranty that guarantees peace of mind from credential stuffing attacks.