Credential Stuffing:
What It Is And How to Stop the Attacks


Some of the hardest cyberattacks to detect, prevent and stop are ones where a malicious actor is able to use legitimate user credentials to log into an active user account. Without a lot of sophisticated detection capabilities in place, the company hosting the account has no reason to suspect that anything is wrong. A customer simply appears to have logged into his or her account. The attacker achieved this successful ruse using stolen credentials—usually the result of a cyberattack technique known as “credential stuffing.” It’s a serious problem today, but one that can be mitigated with the right countermeasures.

What is Credential Stuffing?

Credential stuffing is a form of cyberattack wherein the attacker tries to log into a website multiple times using pairs of stolen usernames and passwords. The “stuffing” refers to the repetitive login attempts, which are almost always performed by automated bot software.

It’s not as if the hacker (clad in a hoodie, of course!) is sitting there, typing in credential after credential. The automated login bot could be made from an off-the-shelf tool like Selenium or a custom-developed hacker tool.
Indeed, some credential stuffing attacks involve millions of credentials—all being stuffed into the unsuspecting website login interface in the hope of being let in. Once inside, the attacker can take over the victim’s account.

If it’s an eCommerce account, the attacker can order merchandise. If the victim is a bank, the attacker can transfer funds offshore, and so forth.

Targets aren't defenseless though. Most websites have controls that block a suspicious user who is trying to log into thousands of different accounts from the same IP address in a short space of time. What credential stuffing attackers do to get around these protection techniques is this is to simulate geographic and IP diversity. Using powerful, often AI-driven tools, they can make it appear that thousands of users are randomly trying to log in at different times of day from all over the country. This is a lot harder to detect and stop.

Where do the hackers get the credentials?

The reason the hacker has to “stuff” so many credentials has to do with where they get their stolen credentials.

These credentials usually come from data breaches. Also known as “credential spills,” these attacks can result in millions of credentials getting dumped onto the dark web. If the spill came from a  bank, the hacker will try to use those credentials to get onto other sites. This approach works because so many people use the same username and password combination for multiple sites. (This practice is discouraged, but reality is what it is. People tend to repeat the same login credentials.)

Thus, if the attacker can get into one site, he can probably get into multiple sites using the spilled credentials. For instance, they might get a username/password pair like JohnDoe/525momma, but they have no idea what that pair will do for them. So, they try the pair on, Ebay, Citibank, Walgreens and on and on. They might try that pair on a thousand different sites.

Eventually, they’ll start opening doors.

How hCaptcha and hCaptcha Enterprise mitigate the credential stuffing threat

While it is possible to use  IP and location detection tools to prevent credential stuffing, a more cost effective and accurate method is simply to interrupt the automated credential stuffing bot itself. hCaptcha and hCaptcha Enterprise can stump the bot at the point of entry. Even if the bot has the right credentials, if it cannot get past hCaptcha Enterprise's detection or hCaptcha's CAPTCHA, it won’t get to do its stuffing and your site and users are protected.

Contact Us to learn more about hCaptcha Enterprise