What category does Credential Stuffing belong to?

Credential Stuffing belongs to the "Concepts" category in personal knowledge management and productivity.

What are the key topics related to Credential Stuffing?

Key topics related to Credential Stuffing include: security, attacks, credentials, passwords, automation.

What are alternative names for Credential Stuffing?

Credential Stuffing is also known as: Credential Reuse Attack.

Credential Stuffing

An attack using stolen username/password pairs from data breaches to access accounts on other services

Also known as: Credential Reuse Attack

Category: Concepts

Tags: security, attacks, credentials, passwords, automation

Explanation

Credential stuffing is an automated cyberattack where stolen account credentials, typically obtained from data breaches, are used to gain unauthorized access to user accounts on other services through large-scale automated login requests. This attack exploits the widespread practice of password reuse, where users employ the same username and password combinations across multiple websites and services.

Credential stuffing attacks work by acquiring leaked credential databases from previous breaches (available on dark web markets or through previous hacks), then using automated tools to test these credentials against target websites at scale. Unlike brute force attacks that guess passwords, credential stuffing uses known valid credentials, making it more efficient. Attackers often use botnets, rotating proxies, and CAPTCHA-solving services to evade detection and rate limiting.

Notable credential stuffing incidents include the 2020 Zoom attacks where over 500,000 account credentials were sold online, derived from credential stuffing rather than a Zoom breach. Dunkin' Donuts reported two credential stuffing attacks in 2015 and 2019 affecting customer accounts. Spotify, Disney+, and numerous streaming services have faced waves of credential stuffing attacks following major data breaches at other companies.

Defenses include implementing multi-factor authentication (MFA), which renders stolen passwords alone insufficient. Organizations should deploy bot detection and rate limiting, use CAPTCHA for suspicious login attempts, implement device fingerprinting, monitor for credential leaks affecting their users, and encourage unique passwords. Password managers help users maintain different passwords across services, eliminating the reuse that makes credential stuffing effective.

Related Concepts

← Back to all concepts