Close this search box.

The Anatomy of Credential Stuffing

The Anatomy of Credential Stuffing: Understand how credential stuffing works and why it puts enterprises at risk of account takeover

What Is Credential Stuffing?

Credential stuffing is a method for account takeover which leverages previously-exposed email and password logins to gain unauthorized access to accounts. Credential stuffing attacks are easier to pull off than you may think. In fact, even criminals of low sophistication can perform credential stuffing attacks at scale within a matter of seconds using tools that are readily available on the Internet. Criminals literally “stuff” exposed email and password combinations into as many websites as they can find, patiently waiting until one or more matches are found. In fact, up to 43 percent of logins submitted through most sites are account takeover attempts.

The main culprit behind these attacks is password reuse. As many as 87 percent of people reuse the same password across multiple accounts. Unfortunately, many people have become comfortable with their password reuse and don’t see a good enough reason to change. They may not share passwords with others, but they share them among multiple websites, making it easy for criminals to break into multiple accounts with the same password.

Related: How the Grinch Stole Your Customer’s Account

This means if you use your work or personal email addresses and the password “mycatisawesome2,” for instance, to log in to your LinkedIn account, your Facebook account and your Target account, you create a single point of failure for both your financial details and any personal information you may have shared on social media. Even if LinkedIn is the company that was breached and you promptly change your LinkedIn password, there’s a still a significant chance that criminals will find that your same password is being used across multiple accounts.

How Does Credential Stuffing Work?

These attacks are remarkably easy, thanks to public websites that give criminals access to the lists of exposed passwords and the tools needed to perform credential stuffing. These lists of exposed email and passwords, called “combolists,” typically combine data from previous corporate data breaches. These lists can be found online and sadly, there are lots of them. Once the lists are downloaded, criminals need only to download any of many publicly-available credential stuffing tools. Both the list and the tool are simple to install ready to use within minutes.

Wistia video thumbnail


Here’s the breakdown of what criminals do to perform a credential stuffing attack:

Download combolist

The criminal acquires leaked credentials directly from a breach or searches within cracking communities, online or on underground markets to purchase combolists that combine data from multiple breaches.

Load list into credential stuffing tool

Public resources enable criminals to quickly download a tool that will compare combolists against popular commercial websites. The criminal loads his combolist into the tool then selects certain sites simply by checking the boxes for each site or runs the tool against hundreds of sites at once.

Analyze accounts

Criminals can custom-configure credential stuffing tools to find accounts with certain balances of cash, points, and/or virtual currencies. When there’s a match, criminals can see account balances behind compromised accounts and determine ahead of time whether or not they can gain access to the targeted account.

Export results and gain access to active accounts

Once the credential stuffing tool finds a match, the criminal can export the results into their own files and begin accessing those active accounts using the exposed email and password combinations.

Login and extract funds or resell access on the dark market

Once the criminal logs into the exposed accounts, they are now what the site believes is the legitimate user. Full-fledged account takeover has begun.

Because they have genuine user credentials, attackers have the same privileges as the person who owns the account. They can drain accounts in seconds and/or resell their access to other cybercriminals.

Related: Verizon 2021 Data Breach Report

All of these steps can be accomplished within a matter of minutes, making it nearly impossible to stop once the process has begun.

How Can Companies Prevent Credential Stuffing Attacks?

Companies must implement a strong credential stuffing defense. Until they do, they will be at a high risk for fraud and customer attrition. Consumers may be the weakest link in cybersecurity, but they place the blame for these attacks squarely on the companies who are breached. It’s up to companies and organizations to prioritize strategies and tools that protect customers’ data from being breached. In doing so, they also protect the enterprise from many types of fraud.

Credential stuffing prevention must begin with the password. Consumers often don’t understand the risk they take in reusing passwords. As such, it’s up to the company to take matters into their own hands.

The best credential stuffing prevention tools do the following:

Stop the attack at the login level

Each time someone logs into a web interface, it must have the ability to automatically see if the email and password have been previously exposed. This must happen quickly so as not to create friction with the consumer. It is critical to choose a provider who has a robust database of the most current and historical exposures. Even older exposures can wreak havoc if the user hasn’t changed their password since the initial data breach. Criminals often attempt credential stuffing attacks years after their initial combolists were downloaded. They know users frequently forget to reset passwords.

Force a password reset

If the credential stuffing tool detects the password has previously been exposed, the system should immediately prompt them to reset their password. To ensure the person logging into the account is the legitimate user, the password reset cannot occur on the login site. Instead, a reset link should be sent to their registered email. By clicking on the email link, the user is then redirected to a password reset page.

Automate Protection

Automation is key, as is the quality and size of the exposure database. Ideally, a plugin will be in place behind the scenes, protecting user access automatically.

Even if the cybercriminal is able to find exposed passwords from a breach that work on other sites, they won’t be able to use them to access yours. When the cybercriminal uses the credential stuffing tool to scan sites where reused passwords are active, no results will populate. They cannot log in using those exposed credentials because users with exposed credentials are now being prompted to reset their passwords.

The use of credential stuffing defense tools not only protect your customers and your company, they hopefully, even if indirectly, educate your customers on the importance of not reusing passwords.

Recent Posts

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

[What’s New] Check Your Exposure has been expanded with more recaptured data. See Your Results Now

Close this search box.