Credential Stuffing

Most websites that provide an authenticated space, such as an e-commerce platform, can be subject to a common type of attack: credential stuffing.

How does credential stuffing work?

In general, the attack works as follows: the cyber attacker takes a list of usernames (e.g. an email address) and passwords obtained following a data leak from one organisation, and then uses them to try to connect to another organisation’s website.

Assuming that users often use the same username and password pairs across multiple sites, the attacker targets sites that are often not very secure and attempts to make a large number of connections using “robots”. If the connection is successful, the attacker can then change the password, preventing the user from using their account or even making purchases if the bank card is registered.

What makes credential stuffing so effective?

Statistically, credential stuffing attacks have a very low success rate. Many estimates put this rate at around 0.1%, which means that for every thousand accounts an attacker tries to crack, the success rate is around one in a thousand. However, an attacker can repeat the process with the same set of identifiers on many other services. The main reason for the effectiveness of these attacks is the reuse of passwords. Studies suggest that the majority of users (some estimates as high as 85%) reuse the same credentials across multiple services.