Credential Stuffing: What it is and How to Stop it

What is Credential Stuffing?

Credential stuffing is a cyberattack in which criminals use automated tools and stolen username and password pairs to break into systems and gain access to legitimate user accounts. This technique is successful because many users reuse login credentials across multiple sites. When these user credentials are exposed in a data breach or phishing attack, attackers use them to compromise other accounts. Credential stuffing is dangerous for both consumers and enterprises due to the ripple effects of credential theft.

Diagram showing how attackers access legitimate user accounts

Why Credential Stuffing Matters

The 2022 Data Breach Investigations Report (DBIR) defines a data breach as a compromise of the confidentiality attribute, and when confidentiality is compromised, it begs the question:

What type of data was involved1?

According to the DBIR, the top two data types compromised are now “credentials” and “personal data.”2

Credential stuffing attacks are a widespread problem with almost limitless consequences for businesses and consumers. And they are a rising threat for two primary reasons:

  1. The broad availability of massive breached databases (think billions of username/password combinations).
  2. The presence of sophisticated bots that simultaneously attempt several logins and appear to originate from different IP addresses. These bots can often circumvent simple security measures like banning IP addresses with too many failed logins.

Credential theft is not a one-and-done type of attack; the ramifications of a credential stuffing attack can be devastating for businesses and consumers alike.

How Credential Stuffing Works

Attackers acquire usernames and passwords through website breaches, phishing attacks, or data dumps of breached information. They use automated tools to test these stolen credentials on multiple websites, such as social media sites, financial/banking websites, e-commerce websites, or apps. If a login is successful, attackers know they have a valid set of credentials.

At this point, the attackers may drain stolen accounts of stored value, access sensitive information such as credit card numbers, medical records, private messages, pictures, or documents, use the account to send phishing messages or spam, or sell known-valid credentials to other attackers.

Flow chart illustrating how unauthorized access originates and proliferates
How Credential Stuffing Attack Works

Credential Stuffing vs Brute-Force Attacks

Credential stuffing is a type of brute-force attack, according to OWASP.3 But there is an important difference between credential stuffing and a traditional brute-force attack, which tries to figure out passwords without any context or hints. A strong password with uppercase letters, numbers, and special characters is a good way to protect yourself from traditional brute-force attacks.

However, credential stuffing uses data that has been made public through a breach, which means even the strongest password is weakened when a person uses it for multiple websites or apps. A credential stuffing attack can compromise these credentials, no matter how strong they are.

Arkose Labs $1 Million Credential Stuffing Warranty Guarantees Success Against Volumetric Credential Stuffing Attacks

$1M Credential Stuffing Warranty
$1M Credential Stuffing Warranty

How to Prevent Credential Stuffing

Individual users can prevent the theft of their credentials with best practices such as:

  • Using a password manager to generate a unique, strong password for every website or service visited
  • Enabling two-factor authentication (2FA) whenever possible

For businesses, the answer is a bit more complicated.

A company can suggest that its customers use unique passwords, but it can't force them to do so. Some applications will check a submitted password against a database of known compromised passwords before accepting it. However, this isn't foolproof because the user could be reusing a password from a service that hasn't yet been compromised.

Many businesses try to prevent credential stuffing attacks by adding more cybersecurity features to logins, including multi-factor authentication (MFA) and/or traditional CAPTCHA challenges. But these also have limitations. MFA can be compromised by Man in the Middle Attacks, and traditional CAPTCHAs are ineffective. Bots can maneuver around these tests, forcing security teams to up their protection measures, which can lead to the blocking of good traffic and a decrease in overall web traffic and revenue.

Other forms of prevention include:

  • Device fingerprinting: JavaScript is used to gather information about user devices and create a "fingerprint" for each incoming session. The fingerprint is made up of identifiers like the operating system, the language, the browser, the time zone, etc. If the same set of parameters is used to log in more than once in a row, it may indicate a brute force or credential stuffing attack.
  • IP blacklisting: Attackers usually only have a small number of IP addresses to use, so blocking IPs that try to log into multiple accounts is another way to stop them. To minimize false positives, you can keep track of the last few IPs that were used to log into a particular account and compare them to the suspicious IP.
  • Rate-limit sources of non-residential traffic: Traffic coming from commercial data centers is easy to spot. It is almost certainly bot traffic, which means it must be looked at differently than regular user traffic. Set strict rate limits and block or ban IPs that behave in strange ways.
  • Don't let headless browsers in: The JavaScript calls used by headless browsers make them easy to spot. These browsers aren't real users, and they may indicate suspicious behavior.
  • Don't allow email addresses to be used as usernames: Credential stuffing works when the same usernames or account IDs are used for multiple services. If you don't allow people to use an email address as their account ID, they are less likely to use the same username and password on another site.

The most effective defense against credential stuffing attacks is a robust bot management solution like Arkose Bot Manager. It’s a holistic approach that includes device fingerprinting, IP reputation checks, behavior biometrics, and MatchKey Challenges, a revolutionary new type of CAPTCHA that bots cannot defeat. The bot detection and mitigation platform sits on all consumer flows and orchestrates dynamic responses tailored to each attack pattern.

Additionally, Arkose Labs is the only provider to offer a $1 Million Credential Stuffing Warranty. Either we stop the attacks or we cover the loss!

Want to learn more about Arkose Labs and our $1 Million Credential Stuffing Warranty? Book a demo today!


Credential stuffing is a subset of account takeover attacks, a type of cyberattack where black hat hackers constantly try different username-password combinations until a valid match is found. They deploy bots to scale up the attacks at reduced costs. With consumer information readily available to criminals for purchase — due to personal information being exposed from years of data breaches — credential stuffing has come to play a key role in carrying out account takeover (ATO) attacks.

It is called credential stuffing because of the hacking technique that cybercriminals employ. Using stolen passwords, attackers are able to unlock multiple accounts since people often engage in password reuse across digital accounts and websites.

Credential stuffing makes use of real consumer data that has been exposed due to years of data breaches, whereas in brute force attacks, attackers try to guess passwords using random characters and password suggestions. Since credential stuffing attacks use real data, the probability of arriving at valid credentials is higher than in brute force attacks.

There are many reasons why global brands trust Arkose labs in their fight against credential stuffing. Here are five:

  1. Arkose Labs is the only vendor in the world to offer a fully insured credential stuffing warranty, where our partners get up to $1million loss recovery.
  2. Reduction in business risk exposure with a 48-hour remediation guarantee.
  3. Rapid remediation of bot attacks while maintaining a completely user-centric approach.
  4. Always-on monitoring and optimization of the partner’s traffic for an ever-vigilant protection.
  5. Commitment to work closely with our partners and help them confidently stand up to the challenge of credential stuffing attacks.