Credential Stuffing: What it is and How to Stop it

What is Credential Stuffing?

Credential stuffing is a subset of account takeover attacks, where bots are deployed to constantly try different username/password combinations at scale until a match is found. With this information readily available to fraudsters for purchase - due to personal information being exposed from years of data breaches - credential stuffing plays a key role in carrying out account takeover (ATO) attacks.

credential stuffing

Credential stuffing has become a vital ingredient of successful fraud attacks, which makes stopping it so crucial. Fraudsters will often use automated scripts to power credential stuffing, such as to fill in login forms en masse with validated credentials. They also utilize human sweatshops to launch these attacks, which enables them to evade defenses that specifically look for signs of automation, or even conduct the attacks themselves for high-value accounts.

Once credential stuffing is used to successfully compromise an account, the fraudster has a wide range of options, from simply stealing money or information from the account, using it for downstream fraud such as for phishing or sending spam messages, laundering stolen money, or reselling the successfully validated credentials as a list on their own right.

What Are the Steps of a Credential Stuffing Attack?

credential stuffing
How Credential Stuffing Attack Works

There are three main steps to a credential stuffing attack:

Data Harvesting

Fraudsters first need the raw material - a list of valid emails, usernames and passwords - to work with before carrying out credential stuffing attacks. These are most commonly and easily acquired on either the dark or public web via lists sourced from various data breaches. Credentials can also be stolen using methods such as phishing, malware, or social engineering attacks.

Validating Accounts

After data is acquired, fraudsters use credential stuffing techniques to find the right combinations and gain access to accounts. To do this at scale, fraudsters commonly use bots: they simply enter the list of stolen credentials into a tool, configure the proxies, define the target, and sit back and launch the attacks. As noted earlier, for more nuanced attacks, human sweatshops may be used or even lone fraudsters may do it themselves.

Monetize Attack

This can be done in a number of ways, such as fraudsters stealing money or utilizing the information from the account itself to carry out further attacks. Fraudsters can also resell lists of known validated credentials after the credential stuffing attack determines the right username-password combinations. The attack will help extract a list of credentials that have been verified against a specific website, which can then be resold on the dark web.

Why Are Credential Stuffing Attacks on the Rise?

Simply put, there are so many usernames, emails, and passwords available for purchase on the web that fraudsters can easily obtain them, and launching credential stuffing attacks is then as simple as inputting data into an automated program. With a minimal amount of effort and money, fraudsters can launch credential stuffing attacks at scale, testing thousands - or even millions - of combinations in minutes.

The combination of easily available data, and cheap and easy-to-use bots, makes for an environment ripe for credential stuffing attacks. According to the FBI, a whopping 41% of all financial sector attacks between 2017 and 2020 were due to credential stuffing, resulting in the theft of millions of dollars. The FBI further notes that this situation is exacerbated by consumers continually using the same login credentials.

"When customers and employees use the same email and password combinations across multiple online accounts, cybercriminals can exploit the opportunity to use stolen credentials to attempt logins across various sites," says a Sept 2020 memo. According to a 2020 survey conducted by a data analytics firm, nearly 60% of the respondents reported using one or more passwords across multiple accounts. "When attackers successfully compromise accounts, they monetize their access by abusing credit card or loyalty programs, committing identity fraud, or submitting fraudulent transactions such as transfers and bill payments."

All these factors add up to a scenario where credential stuffing attacks are frequent and often successful.

Limitations of Current Fraud Defense Approaches

Clearly, identity-based fraud detection efforts are obsolete now. This is because not only can fraudsters easily obtain a good user's login credentials and use them to appear to be 'good' themselves, but they can also quite easily hide their true location and intent. They do this with tactics such as IP spoofing, device obfuscation, and many others.

Most data-driven risk decision engines are geared towards extremes, looking for users that display clear 'trust' or  'mistrust' signals. They, therefore, struggle with the new reality in fraud, where digital identities have been corrupted and intent can be faked.

credential stuffing

There is an increasingly gray area due to unpredictable behavior from good customers and sophisticated spoofing and cloaking techniques from fraudsters leveraging stolen personal data. If one factor is off for a good user, for any number of legitimate reasons, then it can throw the whole fraud prevention model off-gear. Fraudsters understand how these fraud defense systems work and use this knowledge directly against the businesses they attack. The balance of power, in these scenarios, is unfortunately with the bad guys.

Smarter Authentication with Targeted Friction

credential stuffing
Arkose Labs' platform

Rather than constantly playing a losing cat and mouse game with fraudsters, businesses need a long-term approach to disrupt fraud and put a stop to these large-scale attacks. That's why Arkose Labs combines risk-based decisioning with intelligent step-up and clarifies whether or not a good customer's digital footprint has been corrupted by the fraudsters.

Real-time Analysis

The Arkose Labs platform performs sophisticated real-time analysis of traffic to look for even the most subtle indicators of fraud. However, this is done without collecting large sets of personal information, as they can cause a privacy and compliance headache. Instead, the platform focuses on behavior, device, and network characteristics and how they are connected.

Classify and Triage

Multiple risk scores can become difficult to action. Instead, Arkose Labs classifies and segments traffic based on the risk profile. Triaging traffic, based on whether it is likely to be legitimate, a bot, or human sweatshop, provides actionable intelligence that can inform the system of any secondary screening required and the type of enforcement required.

Challenge and Interact

To understand the intent of traffic in a deterministic way, secondary screening must be paired with risk assessment. Arkose Labs' custom enforcement challenges test high-risk traffic using interactive technology that causes all automated attacks to fail. Graduated risk-based challenges can also frustrate fraudsters by increasing the amount of friction they experience, leading them to abandon their attacks.

Continuous Learning

Arkose Labs clients can reap the benefits of a fraud prevention system, which combines risk assessments with challenges, by leveraging a continuous feedback loop to improve fraud detection rates, while decreasing challenge rates for good users. Embedded machine learning will provide advanced anomaly detection and evolving protection, taking the burden away from in-house teams.

Businesses need to take a robust stance against fraud to safeguard their revenue streams and maintain customer trust. This multi-step approach ensures comprehensive fraud protection that safeguards businesses long term. Click here to learn more about how Arkose Labs can help fight fraud without impacting the user experience.


Credential stuffing is a subset of account takeover attacks, where fraudsters constantly try different username-password combinations until a valid match is found. They deploy bots to scale up the attacks at reduced costs. With consumer information readily available to fraudsters for purchase — due to personal information being exposed from years of data breaches — credential stuffing has come to play a key role in carrying out account takeover (ATO) attacks.

It is called credential stuffing because of the hacking technique that fraudsters employ. Using stolen passwords, fraudsters are able to unlock multiple accounts since people reuse their passwords across digital accounts and websites.

Credential stuffing makes use of real consumer data that has been exposed due to years of data breaches, whereas in brute force attacks, fraudsters try to guess passwords using random characters and password suggestions. Since credential stuffing attacks use real data, the probability of arriving at valid credentials is higher than in brute force attacks.

There are many reasons why global brands trust Arkose labs in their fight against credential stuffing. We list down only five here:

  1. Arkose Labs is the only vendor in the world to offer a fully insured credential stuffing warranty, where our partners get up to $1million loss recovery.
  2. Reduction in business risk exposure with a 48-hour remediation guarantee.
  3. Rapid remediation of attacks while maintaining a completely user-centric approach.
  4. Always-on monitoring and optimization of the partner’s traffic for an ever-vigilant protection.
  5. Commitment to work closely with our partners and help them confidently stand up to the challenge of credential stuffing attacks.