Skip to main content

What Is Credential Stuffing?

About 2 min read

Credential stuffing is an attack technique in which attackers automatically enter combinations of IDs (email addresses) and passwords leaked in past data breaches into a different service, attempting unauthorized logins. It exploits the reality that many users reuse the same password across multiple services, making password reuse the greatest risk factor. According to the 2024 Verizon DBIR, about 86% of web application attacks use stolen credentials, and this trend grows stronger every year.

How the Attack Works

Attackers first obtain leaked databases that are bought and sold on the dark web and elsewhere. Such a database contains millions to billions of ID and password combinations. Next, using botnets and automation tools, they enter these credentials en masse into the login forms of the targeted service. Accounts of users who reuse their passwords are easily breached by this attack.

The realities of leaked data are explained in detail in data breach and cybercrime books on Amazon.

Real-World Use Cases

"When we reviewed the WAF logs, we detected about 2 million credential stuffing attacks over a six-hour period starting at 10 p.m. last night. The source IPs were distributed across more than 50 countries, suggesting the use of a botnet."

Attack Flow

Obtain leaked DB
Build ID/PW list
Auto-fill into other services
Breach reused accounts

Defensive Measures

The most effective measure is to use a different password for each service. By generating a random password for each service with passtsuku.com and managing them in a password manager, even if a breach occurs at one service, you can completely block its impact on other services. It is also important to regularly check services such as Have I Been Pwned to see whether your email address is included in leaked data.password management guides (Amazon) are also helpful references.

Related Terms

Was this article helpful?

XHatena