Credential StuffingDon’t Let Brute-Force Attacks Compromise Your Sensitive Data

What Cardholders & Merchants Should Know to Prevent Credential Stuffing Attacks

Credential stuffing attacks are a leading cause of data breaches today.

A big part of the problem is that 64% of people tend to use the same password for multiple, if not all, of their accounts. And, the chances for hackers to succeed with credential stuffing are on the rise as more and more stolen credentials become available through data breaches. Right now, there are literally billions of these compromised login details floating around on the dark web.

However, it's entirely possible to stop credential stuffing attacks by putting the right cybersecurity strategies in place. Executives should be aware of what credential stuffing entails and what steps can be taken to lower the chances of their organizations falling prey to these attacks.

What is Credential Stuffing?

Credential Stuffing

[noun]/krə • dent • SHəl • stəf • iNG/

Credential stuffing is a brute force fraud tactic that involves using bots to automatically attempt to enter stolen username and password pairs into a web form. The term “credential stuffing” refers to the fact that bots can attempt hundreds of sets of login credentials per minute until they find a match.

Credential stuffing is a type of cyberattack. Hackers use stolen usernames and passwords from one source to gain unauthorized access to accounts at another site. These stolen credentials are often obtained from past data breaches or bought from hidden markets on the internet.

To illustrate, picture a thief with a massive ring of keys, who is trying to get through a locked door. The thief tries each key to see which one opens the door. Credential stuffing is basically the digital version of this.

How Does Credential Stuffing Work?

In this process, the hacker uses automated programs to rapidly test these stolen login details across numerous websites. This method works because many people reuse their passwords across multiple sites. If the hacker finds a match, they can enter accounts, steal sensitive information, or cause other harm.

So, how exactly do they do it? Well, here’s how credential stuffing happens, step by step:

After breaking into an account, hackers might use it immediately for malicious purposes, or file away the information and save it to conduct fraud later. They can also sell the access they've gained to others in dark web markets.

Why are eCommerce Merchants Targeted for Credential Stuffing?

Online sellers are prime targets for credential stuffing because they have a treasure trove of valuable customer data, including username and password combinations, card numbers, email addresses, phone numbers, and other personally identifying information (PII).

A credential stuffing attack launched against a single merchant can potentially compromise hundreds or even thousands of accounts, which fraudsters can then takeover, sell, or misappropriate for other attacks.

Another unfortunate reason why eCommerce merchants are particularly susceptible to credential stuffing attacks is because they are easy targets. A bad actor located anywhere in the world can potentially aim a carding attack at a seller, making many small-scale eCommerce sellers who lack sufficient fraud prevention tools or the security infrastructure to defend themselves particularly vulnerable.

Real-Word Examples of Credential Stuffing

Credential stuffing attacks have become so routine that there's actually a going rate for hacked accounts; a kind of twisted online marketplace, based around supply and demand.

The price tag on these stolen accounts depends on how much they're worth. So, credentials for financial accounts (banks, PayPal, Western Union, etc.) might sell for anywhere from $30 to $120. Plus, hackers are coming up with new ways to break into systems every day, and it seems like each attacker is more clever than the last. 

Here are a few recent, real-world stories that illustrate just how big a problem this can be:

These are some high-profile cases, but small-scale attacks happen every day. Retail accounts are hot items, for instance. Someone might pay around $30 for access to a compromised Amazon account.

Social media accounts are in demand, too. They can be used for all sorts of shady activity, from fake promotion campaigns (called “astroturfing”) to tricking someone's contacts into downloading harmful software. Prices vary by platform: a Facebook account might go for $65, Instagram for $45, and Gmail for a solid $80.

What Credential Stuffing Actually Costs Merchants

Credential stuffing attacks are both common and costly. While there’s been a lot of ink spilled regarding how data exposure impacts individuals, we should also spotlight the potential exposure for banks and eCommerce merchants:

How Much are You Losing to Credential Stuffing?

Like we outlined above, the cost of a single fraud attack extends far beyond just the revenue from the sale in question.

Let’s say a scammer conducts a credential stuffing attack and manages to successfully compromise a customer’s account and conduct a fraudulent purchase. Every time that happens, you’re going to get hit with a chargeback.

These costs are gonna snowball over time. Use the calculator below to examine your overall exposure:

“Red Flags” of Credential Stuffing

There are some clear warning signs for which everyone should be on the lookout here. Catching these hints early can really save a lot of trouble for businesses and their customers.

• Weird Login Attempts: Getting messages about someone trying to log in or reset passwords, despite not having actually done this.
• Repeated Account Locks: If an account keeps getting locked because of too many login attempts, it may be someone repeatedly testing multiple passwords.
• Strange Account Activity: Orders or credential changes that no authorized user made.
• Failed Logins: Getting a bunch of notices about login attempts from places or devices you don't recognize.
• New Device or Location Warnings: Alerts about new devices in unusual locations accessing the account.
• Unexpected Emails or Messages: Receiving emails or messages regarding activity that no authorized user recognizes.
• Lots of Logins Attempts from One Place: Seeing many login tries, using different credentials, all from just one IP address.
• Customers Complaints: Customers reporting weird account activity or lock outs might mean a widespread attack on many accounts.

Spotting these signs early can help prevent bad actors from doing serious damage.

Businesses can use tools to watch for odd login patterns or set up challenges like CAPTCHAs to stop automated hacking attempts. Users can also make it tougher for hackers by using different passwords for different sites and turning on extra security steps, like getting a code on your phone whenever possible.

Responding to Credential Stuffing Attacks

If you already experienced a credential stuffing attack, how can you respond? The answer is that your actions should look different depending on how far out you are from the attack. Below, I’ve outlined a credential stuffing response roadmap you can follow:

In the first first 24 hours, you should be focused on containing the threat and regaining control. Don’t worry about root causes at this point. Instead, focus on protecting your customers and your platform.

To start, your technical team should work to identify the IP addresses and regions originating the attack, so that you can implement blocks to stop it. While the attackers may use a VPN to switch IPs, this initial step can provide some temporary relief.

Next, initiate a forced password reset for all user accounts; not just the ones you suspect are compromised. This step can invalidate any stolen credentials currently being used.

At the same time, prepare your customer service team with a clear, concise script they can use to explain the situation. Inform them that a security event has occurred. Explain that your customers’ accounts are safe, but you’re taking proactive steps to protect all accounts, and that a password reset is required. Avoid technical jargon and focus instead on reassuring your customers.

Now that the immediate threat is contained, you can turn your focus towards strengthening your defenses and understanding the scope of the attack. During the first week, analyze what happened and begin implementing improved solutions.

Begin by analyzing server logs to determine the full scale of the attack. How many accounts were targeted, how many were successfully breached, and what actions did the attackers take? 

Then, look for patterns in the fraudulent orders. Were they all shipped to a specific region? Did they all use a particular payment method?

Answers to these questions can help you identify and potentially reverse fraudulent payments before a chargeback happens. At this point, you can also move to rate limit logins, which restricts the number of login attempts from a single IP address in a given timeframe. While simple, this defense can immediately defeat the brute-force nature of credential stuffing attacks.

Finally, communicate in more detail with your customers about what happened. Publish a blog post and video that talks about what you’ve done to fix the problem, and what they can do to protect their accounts in the future. For example, by using unique passwords.

By the end of the first month, your focus should shift from reactive defense to proactive security and long-term policy changes. At this stage, your goal is to rebuild customer trust and make your eCommerce store an unattractive target for future attacks.

The top priority is to implement multi-factor authentication (MFA). While it adds a small amount of friction to the login process, it is one of the single most effective defenses against credential stuffing. Offer multiple second-factor options, including SMS codes, authenticator apps, or email verification.

You should also conduct a thorough review of your entire security posture. Are there other vulnerabilities? Is your software up to date? Consider engaging a third-party security firm to perform a penetration test.

Finally, use this event as an opportunity to educate your customers about account security. Create a permanent, easily accessible resource on your site about creating strong passwords, recognizing phishing attempts, and the benefits of MFA.

How to Prevent Credential Stuffing

Credential stuffing is a persistent threat, especially for eCommerce merchants. According to Okta, 51.3% of credential stuffing or carding attacks involved online retailers in 2023.

Given the prevalence of this scam, how can you protect yourself as an online seller? Here are some tips:

Have Additional Questions?

Remember: even when fraud attacks do occur, consumers have some protection in the form of credit card chargebacks. This means the bank can reverse suspect transactions and re-credit the customer's account. 

That’s good news for cardholders… but not so much for merchants, who end up bearing the financial burden.

Thankfully, help is available. Chargebacks911® offers a comprehensive solution to help you protect your business and keep your chargeback ratio low. Don't let chargebacks undermine your success. Take action today to secure your operations and reputation.