Credential stuffing: What is it, and why is it dangerous for your business?

Credential stuffing: What is it, and why is it dangerous for your business?

Cyberspace is littered with millions of malicious actors that can derail your business activities, and one of the most notorious ones are credential stuffing attackers. These crooks were responsible for 193 billion attacks in 2020 alone, and they did not discriminate against what they could take from victims. According to Akamai Security, credential stuffers readily swiped not just bank details and personal data, but even rewards from retail and loyalty programs, such as gas cards, hotel stays, and airline miles.

But what exactly is credential stuffing and how does it happen? Read on to learn more.

What is credential stuffing?

Credential stuffing is a cyberattack method in which attackers breach into a system using lost or stolen user credentials. These attackers work under the premise that most users reuse their login credentials across multiple online services. Attackers typically use bots to try usernames and passwords across several login portals such as email, social media, online banking, and the like.

How does credential stuffing work?

Here’s how credential stuffers generally launch an attack:

  1. Stuffers acquire usernames and passwords from website breaches or phishing attacks. They may also get information from credential “dump sites” where breachers post stolen credentials for sale.
  2. Credential stuffers then try the usernames and passwords they acquired against several websites using automated tools to test stolen credentials against multiple sites at once.
  3. If a login is successful, the stuffers will know that they possess a valid set of credentials.

Once stuffers successfully gain access to an account, they will exploit any bit of information or access these accounts have. Social media accounts can be commandeered for social engineering purposes, email inboxes can be scanned for more login information, and bank accounts can even be cleaned out. Once cybercriminals gain access, there’s no telling how the information in your account will be used against you.

Why is credential stuffing bad for my business?

Credential stuffing is a threat to businesses because exploited user accounts may be used to explore your network’s vulnerabilities. Not only that, credential stuffers will often seek to gain as much financial leverage as they can. Here are some schemes they may carry out once they access your account:

  • Withdraw your money
  • Make unauthorized purchases
  • Gather sensitive information like credit card and Social Security numbers
  • Send phishing messages and/or spam
  • Sell your validated credentials to other attackers like ransomware operators

A successful credential stuffing attack on your business is likely to lead to worse types of attacks, so take this threat seriously and make sure you employ proactive steps to protect your information system.

How can I protect my business?

You must take a proactive approach to protect your SMB against credential stuffing. By deploying certain preventative measures, you can be assured that credential stuffers are kept out of your systems. Consider the following defenses:

  • Multifactor authentication (MFA)
    MFA requires users to provide a “token,” usually in the form of a physical, time-limited user verification method, alongside the account’s username-password combination, before allowing access. Examples are Apple’s FaceID, fingerprint verification on mobile devices, and codes generated by authenticator apps.
  • Strong password policy
    Security.org recommends using passwords with at least 16 characters consisting of letters, numbers, and special characters. It’s a good idea to use a password checking tool to see how effective your passwords are. Or, take your password policy up a notch by going passwordless.
  • Rate-limiting
    Credential stuffers typically use cloud-based servers, so have your IT team apply strict rate limits to traffic coming from commercial data centers.
  • Blocks and blacklists
    Task your IT team to sandbox IP addresses that attempt to log into multiple accounts. An IT security provider can also help block known “bad” IPs and headless browsers from accessing anything within your network.

Protect your data from credential stuffing and other internet-based threats. Boost your business’s IT security profile by partnering with Online Computers, one of New Jersey’s most trusted cybersecurity providers. Contact us today to get started.


Understand how common decision-making errors prevent your business from becoming more competitive and efficient. Download our free eBook today to get started!Learn more here