You are here

Credential Stuffing Protection & Prevention

Author: Katherine S. Choi & Andy Lin

In July 2020, a mid-sized U.S. financial institution experienced a large amount of login attempts with various credential pairs. This attack was attributed to the use of automated bots and resulted in more than $3.5 million in fraudulent check withdrawals and Automated Clearing House (ACH) transfers. This is just one of the many examples of increasing credential stuffing attacks against U.S. Securities and Exchange Commission (SEC)-registered investment advisers and broker dealers that has been observed by the Office of Compliance Inspections and Examinations (OCIE). A Private Industry Notification (PIN) released by the Federal Bureau of Investigation (FBI) noted that from 2017 to 2019, credential stuffing attacks accounted for 41% of total security incidents against the financial sector.

We take a look at this growing attack environment and detail steps you can take to protect your organization from these threats.

What is credential stuffing?

Credential stuffing is a cyberattack that uses compromised client login credentials to obtain customer assets and sensitive personal information. Attackers first access the dark web and obtain lists of usernames, email addresses, and corresponding passwords. They then use automated scripts to try the credentials on other websites in an attempt to gain unauthorized access to customer accounts. Bad actors found this method to be more effective than traditional brute force attacks, where attackers repeatedly guess passwords using numerous combinations of words and numbers.

How are credentials obtained?

Credential stuffing is steadily growing in popularity among hackers, creating a lucrative market for stolen credentials. The dark web is by far the most pervasive source of this stolen information. In 2019, the average price for information regarding bank details was valued at $260.

The dark web is the World Wide Web content that exists on darknets, which are overlay networks that can only be accessed on the internet with specific software, configurations, or authorization access. Since the dark web allows users to be completely anonymous, it became a shroud for illegal activity and a repository for stolen data. It provides common communications between criminal networks such as private chat rooms, hacker forums, and peer-to-peer networks. Here, hackers dump collections of stolen accounts (taken by successful phishing attempts or breaches) and sell them.

Personally identifiable information (PII), such as financial or healthcare information, can dramatically increase the value of the credentials for resale. Although many of these accounts may be outdated, it only takes a reused password or lack of an adequate password policy to become the entry point for bad actors to gain higher access.

Why does this matter?

When a credential stuffing attack succeeds, bad actors use customer accounts to gain access to your organization’s systems, where they can steal assets, view confidential information, and obtain more credential information to sell to other hackers on the dark web. According to the OCIE, the risk of a successful credential stuffing attack increases when users use the same password (or minor variations of the same password) for different accounts. For example, using “Hello!1” on one account and “Hello!2” on another.

The 2018 Global Password Security Report showed that 50% of users use the same passwords for both personal and work accounts, and a 2019 online survey by Google determined that 66% of people used the same password for multiple or all accounts.

Even when websites enforce the use of complex passwords, users tend to create one complex password and use that same password for multiple accounts. Until users are affected by an attack, they don’t realize the harm in reusing passwords. Organizations and service providers have tried to determine the best way to mitigate these types of attacks. However, humans are at the center of the password reuse problem due to our preference for simple patterns and our tendency to forget passwords.

How do I know if an account is under a credential stuffing attack?

According to the PIN released by the FBI, credential stuffing attacks and distributed denial-of-service (DDoS) attacks account for the majority of security incidents against the financial sector. Although both attacks slow or crash networks, there are two indicators specific to credential stuffing:

  • An unusually high number of failed logins, possibly in the millions, from a diverse range of IP addresses via the online login portal
  • An unusually high lockout rate or an influx of customer calls regarding account lockouts

How can I prevent credential stuffing attacks?

Firms can mitigate credential stuffing and other password-related security incidents by:

1. Preventing the use of weak, similar, or old passwords

Ensure that users select strong, complex passwords that are significantly different from old passwords. Fuzzy-matching is a technique used for detecting bad password patterns such as case-variants or reversed password alterations.

2. Decreasing reliance on routine password resets

The NIST password guidelines (SP 800-63) explain that reset periods have become more detrimental than constructive. Instead of creating new, stronger passwords, users end up creating weaker passwords each time the password is reset. A study conducted at Carnegie Mellon University found that students, faculty, and staff who reported annoyance with the password policy chose weaker passwords than those who didn’t report annoyance.

3. Validating credentials against databases of known leaked usernames or passwords (including the dark web), and requiring users change the password if a match is found

Organizations should monitor the dark web for lists of leaked user IDs and passwords, and perform tests to evaluate whether current user accounts are susceptible to credential stuffing attacks.

Actively monitor user accounts/passwords for known weak passwords or whether they're appearing on list of breached credentials. If so, the organization should force the user to change their credentials.

4. Monitoring accounts for unauthorized access, modification, and multiple incorrect login attempts and analyzing the “fingerprint” associated with the attempts

Firms should monitor and set up alerts for access attempts. For example, an employee who works out of Boston, MA shouldn’t be logging in from an IP address in Los Angeles, CA. According to the OCIE, the “fingerprint” of a login can include parameters such as operating system, language, browser, time zone, and user agent. If the same combination of parameters are logging in several times in rapid succession, it’s most likely a brute force or credential stuffing attack. An additional control would be to lock out users after a predetermined number of attempts to prevent automated scripts from repeatedly guessing password combinations.

5. Requiring multi-factor authentication (MFA)

The OCIE explains that MFA can offer one of the best defenses to password-related attacks. The strength of the MFA is determined by the amount of factors employed in the system. Factors can include something you know (e.g. a password), something you are (e.g. a fingerprint), or something you have (e.g. a mobile device). Many organizations choose to use soft-token authenticators, like entering a one-time code sent to your mobile device after entering your login credentials.

6. Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA)

CAPTCHAs require users to confirm they’re not running automated scripts by performing an action to prove they’re human. The most common tests include identifying a particular object in a grid of pictures or identifying combinations of letters and numbers against a background of other noise.


Organizations must proactively review their customer account protection safeguards and identity theft prevention programs, and consider updating programs or policies to address these risks. Credential stuffing isn’t the only type of attack that bad actors are using. DDoS, phishing, brute force, and dictionary attacks still remain prevalent in the security environment. More than 15 billion credentials are in circulation on dark web markets, up 300% since 2018, according to a report conducted by Digital Shadows.

The dark web contains more than just user credentials, including social security numbers, medical records, and more—and critical steps must be taken to ensure the safety of your customer, vendor, and institution data.