What Is Credential Stuffing?

Credential Stuffing definition and explanation.

Credential-related threats and attacks are one of the most widely-used vectors by attackers. Credential stuffing is one of these techniques: stolen or otherwise compromised account credentials—typically in a database or list format—are used to gain unauthorized access to resources using highly-scalable automation processes.

Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to brute force or guess any passwords - the attacker simply automates the logins for a large number (thousands to millions) of previously discovered credential pairs using standard web automation tools like Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks such as: Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet. Credential stuffing attacks are possible because many users reuse the same username/password combination across multiple sites, with one survey reporting that 81% of users have reused a password across two or more sites and 25% of users use the same password across a majority of their accounts,

Wikipedia

Over 80% of breaches within hacking involve brute force or the use of lost or stolen credentials.

Verizon 2020 Data Breach Investigations Report

43% of all logins seen by Akamai were attempts to log in to an account using password guessing or account details gathered from elsewhere on the Internet.

Akamai State of the Internet Q4 2017

Between January 1, 2018, and December 31, 2019, Akamai recorded more than 88 billion credential stuffing attacks across all industries. When we look specifically at the media sector, which includes streaming media, television networks, cable networks, broadcasting, and even digital publishing and advertising, that number is about 17 billion, or about 20% of all attacks.

Akamai blog