The State of Credential Stuffing Attacks in 2021

November 24, 2021 • Rehack Team


A credential stuffing attack is a cyberattack where cybercriminals use stolen credentials to gain unauthorized access to user accounts. To do that, they typically use repeated automated login requests to break past the login screen. On top of being dangerous, they’re also fairly common, so it’s important to watch out for them.

What Are Credential Stuffing Attacks?

Often credential stuffing attacks will leverage brute-force tactics. The bad actors propagating these attacks repeatedly and systematically submit different credentials to try to access systems or data. The difference is that they specifically leverage usernames and passwords they’ve obtained in a phishing attack, dark web purchase, or other password dump site to run the attack.

Once these hackers have successfully authenticated themselves on a victim’s account, they can do all sorts of things. The Open Web Application Security Project (OWASP) Foundation explains that attackers can use a compromised account to make fraudulent purchases or steal sensitive information, for instance. They can also send phishing messages or spam attempts to the account’s contacts to try to broaden their pool of victims.

How Pervasive Are Credential Stuffing Attacks?

According to THINK Digital Partners, credential stuffing accounted for 16.5% of attempted login traffic on an authorization and authentication platform in the first three months of 2021. This activity peaked at around 40% of traffic near the end of March. From an industry perspective, travel & leisure as well as retail were the most commonly targeted.

In 2021, Globe Newswire shared another report’s findings where the average cost required to contain a single phishing-based credential compromise had increased from $381,920 to $692,531 over the span of just five years. That’s a hefty price tag considering the reality that organizations experience an average of 5.3 phishing-based credential compromises each year.

Why Are They So Common?

One of the reasons credential stuffing is so prolific is that malicious actors have a strong financial incentive to perform these attacks. Attackers can use compromised credentials to conduct identity theft and perform credit card fraud for their own gain, after all. But they can also monetize those details on dark web marketplaces and hacking forums.

Often, digital criminals are willing to buy hacked credentials and use them for their own malicious activity. Attackers who don’t personally want to use stolen usernames and passwords always have the option of selling that data to someone who does have a use for them

What Makes Them More Likely to Occur?

The problem of password reuse makes it easy for attackers to obtain passwords and use them to target different organizations. A 2019 survey covered by Infosecurity Magazine found that around 65% of people reused the same password for multiple if not all their web accounts, for instance. Nearly half (45%) of those survey participants admitted that they didn’t consider password reuse to be a serious risk.

That wasn’t the case for a majority of respondents in another study reported on by Threatpost, however. In fact, 9 in 10 participants said that they understood password reuse to be a risk. Even so, two-thirds of individuals said that they “always” or “mostly” use the same password or a variation of it.

These findings help to explain why incidents involving compromised credentials are so commonplace…and expensive. In its Data Breach Investigations Report (DBIR) 2020, as an example, Verizon Enterprise wrote that 80% of the hacking-related breaches analyzed by its researchers had either involved brute force or the use of lost or stolen credentials.

How to Defend Against Credential Stuffing Attacks

Organizations can defend themselves against credential stuffing attacks by first focusing on their authentication mechanisms. Organizations need to make sure that employees are using passwords of sufficient strength, complexity, and uniqueness for their accounts.

However, organizations must not rely on passwords alone to secure their employees’ accounts. They’re too easily compromised. To better defend against credential stuffing attacks, organizations can apply additional security controls. They can implement behavioral analytics, avoid the use of email addresses as user IDs and use multi-factor authentication (MFA).

Organizations also need to take a proactive approach against credential stuffing as a tactic specifically. They should also monitor data breaches and password dumps for their own corporate credentials. If they spot anything involving their domain, they might want to consider implementing a password reset for all employees, contractors, and partners.

They should also think about using geofences to block traffic that could be coming from areas where they know they don’t have any employees who would be attempting to log in. Finally, organizations need a way to spot a credential stuffing attack that’s succeeded. They can do this by implementing a behavioral analytics tool in their environments.

Such a solution can help them to spot anomalous behavior on their authorized accounts including attempts to exfiltrate information outside of the corporate network. In those types of scenarios, the tool can issue an anomaly alert, at which point in time the security team can lock down the account and terminate an attacker’s access to it.

About the Author: David Bisson is an information security writer and security junkie. He’s a contributing editor to IBM’s Security Intelligence and Tripwire’s The State of Security Blog, and he’s a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.