Skip to content Skip to navigation Skip to footer

Credential Stuffing

What Is Credential Stuffing?

What is credential stuffing? Credential stuffing is an automated cyberattack that inserts stolen usernames and passwords into the system's login fields to achieve an account takeover (ATO) for fraudulent misuse.

Of all the types of cyberattacks, credential stuffing is one of the most prolific and effective techniques. It works so well because some users have the same usernames and passwords to log in on many different systems. When an unauthorized user acquires the correct username and password for a person, credential stuffing makes a rapid attempt to log in to other systems that may use the same user information. According to cybercrime estimates, the success rate of this attack method may be from 0.1% to 4%.

How Does a Credential Stuffing Attack Work?

Credential stuffing is a three-step process:

  1. A user's login name and password are stolen in a data breach or bought from the dark web.
  2. An automated bot software program uses this data to rapidly "stuff" the credentials as login attempts. The goal is to find as many other systems as possible where they work.
  3. Successful logins harvest data for further unauthorized use.

Credential Stuffing vs. Brute Force Attacks vs. Password Spraying

A brute force attack uses a username and password generator to attempt to log in to a system by guessing the credentials of an authorized user with multiple sign-in attempts. Commonly used simple passwords are exploited, as well as phrases and names that are easy to guess.

Credential stuffing is more targeted than a brute force attack. A brute force attack is easy to identify due to the unusual number of login attempts from a certain Internet Protocol (IP) address. Credential stuffing is difficult to recognize because login attempts are made only once on each system. Moreover, IP address spoofing may disguise the source of the login attempt.

Password spraying is a technique used by hackers. They use a list of legitimate email addresses combined with the most commonly used passwords to gain unauthorized access to a system. Secure systems should never allow the use of email addresses for usernames because this essentially gives away half of the credentials to anyone with an email list.

Real-world Examples of Credential Stuffing Attacks

It is shocking to learn how many companies have been subject to a credential stuffing attack. Here is a list of a few major companies that had to deal with this type of cyberattack:

  1. HSBC: In 2018, HSBC was subject to a major credential stuffing attack, putting their clients' financial information at risk.
  2. DailyMotion: In January 2019, the DailyMotion video website shut down temporarily due to an attack.
  3. Dunkin' Donuts: In 2019, Dunkin' Donuts faced two massive credential stuffing attacks within three months.
  4. Reddit: Also hit in 2019 was Reddit, which caused customers to lose access to their accounts while hackers stole their data.
  5. Deliveroo: In 2019, Deliveroo customers were charged for orders they never placed.
  6. Basecamp: In 2019, Basecamp had to fend off a massive wave of illegitimate login attempts over a few hours.
  7. Sizmek: In 2019, a Russian hacker attacked Sizmek, a major advertising company. The hacker sold stolen controls to advertising campaigns in a dark web auction.
  8. TurboTax: Also in 2019, TurboTax suffered a security breach caused by credential stuffing. Hackers gained access to customers' tax information and social security numbers.
  9. Nintendo and Zoom: During the pandemic lockdowns of 2020, Nintendo and Zoom got hacked.
  10. Spotify: In 2020, Spotify's music streaming service faced an attack that used information from 380 million user records assembled from different sources.
  11. The North Face: In 2020, The North Face Company was also hit hard with a credential stuffing attack. This attack required the retailer to reset an unknown number of their customers' accounts.
  12. RIPE NCC: The website domain name registrar RIPE NCC got hit in 2021. This attack targeted the company's single-sign-on (SSO) service, exposing multiple databases and services.

The list of companies damaged by credential stuffing attacks is growing.

5 Reasons for Growing Credential Stuffing Attacks

Here are some of the many reasons why credential stuffing attacks are increasing:

Credential Availability

Bad actors have easy access to massive database files of compromised login information. One readily available database file, Collection 1-5, has more than 22 billion usernames and passwords. Some of these came from the breach of Yahoo! in 2016 that hacked 1.5 billion Yahoo! users' accounts.

Technology Advances

Innovations such as headless browsers, which operate just like a web browser but without a user interface, allow faster login attempts. An example is PhantomJS, which uses JavaScript. It can run from a command line. 

The CAPTCHA system used to identify human users may be bypassed. IP spoofing allows a hacker to use fake IP addresses. A virtual private network (VPN) is the workaround for geographical limitations.

Low Barrier to Entry

The software and hardware needed to launch a credential stuffing attack are easy to obtain. Any mediocre hacker can get started for less than $100 spent on stolen data.

Shift to Remote Work

The shift to remote work caused by the pandemic lockdowns had many users creating more online accounts than ever before. This change in work methods is why Zoom got hacked.

Difficulty to Detect

Because the login credentials are real, it is easy to be fooled by a hacker pretending to be a legitimate user. It is important to learn how to detect credential stuffing.

5 Stages of a Credential Stuffing Attack

Here are the stages of a credential stuffing attack, from data collection to the ultimate account takeover and fraud.


At the beginning stage, credential data is collected. The data may come from a recent data breach, be purchased on the dark web, or be downloaded from freely available public archives. In addition to credential data, hackers may collect application programming interface (API) code, website domain Uniform Resource Locators (URLs), and information about online services such as web servers and cloud services.


Like setting up a botnet, hackers choose the software tools or write the programming code to execute the credential stuffing attack. These tools are readily available for a low cost. Some more sophisticated programs can avoid the CAPTCHA system, spoof the IP address or hide it, and be customized to respond to any protections that prevent the attack.


The attack's necessary architecture may include workload distribution across multiple participants, even some that perform computer processing without knowing the goals of the larger project. An example is a computer process server that processes API requests without concern about what they are doing.


The attack launches, and then it is a "wait and see" period for the positive login results to accumulate. The results are a list of compromised and working login credentials.


The goal of this effort is a full account takeover, a form of identity theft. It may also be a goal to infiltrate a network and steal confidential information, such as corporate espionage.

A hacker may use compromised login credentials to launch another type of attack called phishing. This attack tricks the target into thinking a request comes from an authorized person or a legitimate company. It fools them into doing something like sending money or providing personal information.

The Economic Impact of Credential Stuffing

Credential stuffing causes consumers and businesses to lose many billions of dollars annually. There are losses from data breaches and fines for violations of privacy laws when personal data is not adequately protected.

Four Best Practices to Detect and Prevent Credential Stuffing Attacks

Enable Multi-factor Authentication (MFA)

Multi-factor authentication requires more than one way for users to identify as authorized users. This security may include using a fingerprint scan, responding to email verification, or entering a security code received via a text message.

Implement IT Hygiene

Monitoring tools enable a network to look for signs of malicious activity, such as multiple login attempts from an unauthorized IP address. One good defense is to block such an IP address.

Add Proactive Threat Hunting

Proactive threat hunting deals with the risks of advanced persistent threat (APT) attacks from known bad actors, especially state-sponsored ones. This measure is part of the efforts needed to build robust systems that detect credential stuffing.

Educate Employees About the Risks of Weak Passwords

Teach users how to create a secure login credential. Training should help employees understand the importance of using strong passwords with an encrypted password manager. They should use a unique, complex password for each login and never use this password on more than one system.

How Fortinet Can Help

The Fortinet Web Application Firewall (WAF) safeguards your assets from known and unknown threats through application protection, API protection, and bot mitigation. Other features include machine learning-based threat detection, Security Fabric integration, advanced visual analytics, and false-positive mitigation. Fortinet WAF throughputs are incredibly fast and secured by encryption when using hardware-based acceleration.


What is credential stuffing?

Credential stuffing is an automated cyberattack that inserts stolen usernames and passwords into the system's login fields to achieve an account takeover (ATO) for fraudulent misuse.

How to detect credential stuffing?

To detect credential stuffing, use proactive threat hunting and network monitoring tools to look for signs of malicious activity, such as multiple login attempts from an unauthorized IP address.

How to prevent credential stuffing?

To prevent credential stuffing, enable multi-factor authentication (MFA), require complex passwords, and educate employees about the danger of using weak passwords or using the same password on multiple systems.