What Cardholders & Merchants Should Know to Prevent Credential Stuffing Attacks
Credential stuffing attacks are a leading cause of data breaches today.
A big part of the problem is that 64% of people tend to use the same password for multiple, if not all, of their accounts. And, the chances for hackers to succeed with credential stuffing are on the rise as more and more stolen credentials become available through data breaches. Right now, there are literally billions of these compromised login details floating around on the dark web.
However, it's entirely possible to stop credential stuffing attacks by putting the right cybersecurity strategies in place. Executives should be aware of what credential stuffing entails and what steps can be taken to lower the chances of their organizations falling prey to these attacks.
Recommended reading
- Fake Google Reviews: How to Identify, Remove & Prevent
- The Top 10 Prepaid Card Scams to Watch Out For in 2025
- How do Banks Conduct Credit Card Fraud Investigations?
- How to Prevent Gift Card Fraud: Tips & Best Practices
- How to Identify Gift Card Fraud: Red Flags & Warning Signs
- Examples of Gift Card Fraud in 2025
What is Credential Stuffing?
- Credential Stuffing
Credential stuffing is a brute force fraud tactic that involves using bots to automatically attempt to enter stolen username and password pairs into a web form. The term “credential stuffing” refers to the fact that bots can attempt hundreds of sets of login credentials per minute until they find a match.
[noun]/krə • dent • SHəl • stəf • iNG/
Credential stuffing is a type of cyberattack. Hackers use stolen usernames and passwords from one source to gain unauthorized access to accounts at another site. These stolen credentials are often obtained from past data breaches or bought from hidden markets on the internet.
To illustrate, picture a thief with a massive ring of keys, who is trying to get through a locked door. The thief tries each key to see which one opens the door. Credential stuffing is basically the digital version of this.
How Does Credential Stuffing Work?
In this process, the hacker uses automated programs to rapidly test these stolen login details across numerous websites. This method works because many people reuse their passwords across multiple sites. If the hacker finds a match, they can enter accounts, steal sensitive information, or cause other harm.
So, how exactly do they do it? Well, here’s how credential stuffing happens, step by step:
Step #1 | Gathering Stolen Information
The first step for a hacker is to collect lots of usernames and passwords, usually from past security breaches. These stolen details can be bought in bulk on the dark web, in various chat forums or by other means.
Step #2 | Preparing the Attack
Once they have these credentials, hackers organize them, often selecting the most likely to succeed for their attempts. This can be done manually, or credentials can be sorted using an automated process.
Step #3 | Automating Login Attempts
Hackers then use specialized software to automatically enter the stolen usernames and passwords on a wide range of websites. This software can test thousands of logins across multiple sites in a matter of seconds.
Step #4 | Gaining Unauthorized Access
If (or inevitably when) the bot finds a login that works, the hacker can then get into that account. They might look for personal information, make unauthorized purchases, or use the account in other harmful ways.
After breaking into an account, hackers might use it immediately for malicious purposes, or file away the information and save it to conduct fraud later. They can also sell the access they've gained to others in dark web markets.
Selling Compromised Account Access
eCommerce Fraud
Corporate & Institutional Espionage
Why are eCommerce Merchants Targeted for Credential Stuffing?
Online sellers are prime targets for credential stuffing because they have a treasure trove of valuable customer data, including username and password combinations, card numbers, email addresses, phone numbers, and other personally identifying information (PII).
A credential stuffing attack launched against a single merchant can potentially compromise hundreds or even thousands of accounts, which fraudsters can then takeover, sell, or misappropriate for other attacks.
Another unfortunate reason why eCommerce merchants are particularly susceptible to credential stuffing attacks is because they are easy targets. A bad actor located anywhere in the world can potentially aim a carding attack at a seller, making many small-scale eCommerce sellers who lack sufficient fraud prevention tools or the security infrastructure to defend themselves particularly vulnerable.
Only about 0.1% of credential pairs will work; that’s just one in every 1,000 credential stuffing attempts. Bots can carry out these attacks super fast, though. Even with a 0.1% success rate, that’s still thousands of compromised accounts per attack.
Real-Word Examples of Credential Stuffing
Credential stuffing attacks have become so routine that there's actually a going rate for hacked accounts; a kind of twisted online marketplace, based around supply and demand.
The price tag on these stolen accounts depends on how much they're worth. So, credentials for financial accounts (banks, PayPal, Western Union, etc.) might sell for anywhere from $30 to $120. Plus, hackers are coming up with new ways to break into systems every day, and it seems like each attacker is more clever than the last.
Here are a few recent, real-world stories that illustrate just how big a problem this can be:
New York Attorney General
The office of the New York Attorney General uncovered one million exposed accounts in a 2022 credential stuffing probe, involving credentials for customer accounts at 17 well-known companies. Targeted sectors included online retailers, restaurant chains, and food delivery services.
Canada Revenue
& GCKey
According to CBC Canada, the Canada Revenue Agency found out that, out of about 12 million GCKey accounts, 9,041 were hacked using credential stuffing. They had to shut down their online services for a bit to deal with it.
PayPal
A recent PayPal breach impacted 35,000 accounts. The company has thus far not identified any unauthorized transactions. However, it was reported that the attack may have been carried out to use those thousands of compromised accounts in other schemes.
US Banks
ZDNet shared info from an FBI warning that said hackers used stolen login info to make fake check withdrawals and electronic transfers from a US bank between January and August 2020. They managed to steal more than $3.5 million in this attack.
If you operate an online business, you’re vulnerable to credential stuffing attacks.
Learn how to keep your business safe.
Request a Demo
These are some high-profile cases, but small-scale attacks happen every day. Retail accounts are hot items, for instance. Someone might pay around $30 for access to a compromised Amazon account.
Social media accounts are in demand, too. They can be used for all sorts of shady activity, from fake promotion campaigns (called “astroturfing”) to tricking someone's contacts into downloading harmful software. Prices vary by platform: a Facebook account might go for $65, Instagram for $45, and Gmail for a solid $80.
“Red Flags” of Credential Stuffing
There are some clear warning signs for which everyone should be on the lookout here. Catching these hints early can really save a lot of trouble for businesses and their customers.
- Weird Login Attempts: Getting messages about someone trying to log in or reset passwords, despite not having actually done this.
- Repeated Account Locks: If an account keeps getting locked because of too many login attempts, it may be someone repeatedly testing multiple passwords.
- Strange Account Activity: Orders or credential changes that no authorized user made.
- Failed Logins: Getting a bunch of notices about login attempts from places or devices you don't recognize.
- New Device or Location Warnings: Alerts about new devices in unusual locations accessing the account.
- Unexpected Emails or Messages: Receiving emails or messages regarding activity that no authorized user recognizes.
- Lots of Logins Attempts from One Place: Seeing many login tries, using different credentials, all from just one IP address.
- Customers Complaints: Customers reporting weird account activity or lock outs might mean a widespread attack on many accounts.
Spotting these signs early can help prevent bad actors from doing serious damage.
Businesses can use tools to watch for odd login patterns or set up challenges like CAPTCHAs to stop automated hacking attempts. Users can also make it tougher for hackers by using different passwords for different sites and turning on extra security steps, like getting a code on your phone whenever possible.
Responding to Credential Stuffing Attacks
A credential stuffing attack can be a devastating event for your business and your customers. If you suffer an attack, you’ll need to act rapidly and decisively to limit long-term damage. Specifically:
#1 | Investigate the Attack
Analyze transaction data — timestamps, login information, password changes, geolocation data, and more — to determine which accounts were compromised and where the attack originated from.
#2 | Communicate With Affected Users
Next, immediately notify the users whose accounts were compromised. Communicate objectively by noting when the attack occurred, what was taken, and how users should respond. For example, ask all users to change their passwords, and to monitor relevant accounts for suspicious activity.
#3 | Address Security Vulnerabilities
Now, it’s time to work with your payment processor and cybersecurity team to limit future damage. Identify security measures that could’ve prevented the attack, and work to put them in place. For instance, consider deploying velocity checks or multi-factor authentication (MFA) at login and checkout. Also consider investing in device fingerprinting or biometric tools.
How to Prevent Credential Stuffing
Credential stuffing is a persistent threat, especially for eCommerce merchants. According to Okta, 51.3% of credential stuffing or carding attacks involved online retailers in 2023.
Given the prevalence of this scam, how can you protect yourself as an online seller? Here are some tips:
Enforce Strong Password Policies: Encourage your customers to use strong passwords by requiring a mix of letters, numbers, and special characters. You can also require them to change passwords regularly.
Educate Your Customers: Share tips and best practices for creating strong passwords and the dangers of reusing passwords. You could do this through emails, pop-up tips on your website, and social media posts.
Adopt Advanced Security Measures: Consider using biometrics or behavioral analytics (looking at how a user typically behaves). These can add another layer of security that's hard for hackers to fake.
Monitor for Suspicious Activity: Use security software to keep an eye out for suspicious activity, like a ton of login attempts in a short time coming from the same place, or users trying lots of different usernames and passwords.
Challenge Suspicious Logins: Implement CAPTCHA challenges for login attempts that seem automated. It's a simple way to weed out bots since they usually can't solve CAPTCHAs like a human can.
Limit Login Attempts: By locking an account or slowing down login attempts after a few failures, you make it way harder for automated tools to guess passwords by trial and error.
Block Sketchy Traffic: If you notice a lot of malicious attempts coming from certain places, you can block those IP addresses. It's not a perfect solution since IPs can be masked or changed, but it can cut down on a lot of unwanted traffic.
Future Trends in Credential Stuffing Prevention
New fraud detection and authentication solutions can help you keep valuable customer information secure and out of reach of fraudsters. Some highlights include:
Have Additional Questions?
Remember: even when fraud attacks do occur, consumers have some protection in the form of credit card chargebacks. This means the bank can reverse suspect transactions and re-credit the customer's account.
That’s good news for cardholders… but not so much for merchants, who end up bearing the financial burden.
Thankfully, help is available. Chargebacks911® offers a comprehensive solution to help you protect your business and keep your chargeback ratio low. Don't let chargebacks undermine your success. Take action today to secure your operations and reputation.
FAQs
What is the difference between credential stuffing and password spraying?
Credential stuffing attacks use stolen account credentials (usernames and passwords) obtained from previous data breaches to attempt to log into other websites or services.
Password spraying, on the other hand, takes a different approach. Instead of using a list of known password combinations, attackers select a common password (such as "Password123" or "Spring2020") and attempt to log in to many different accounts with it. This method relies on the statistical likelihood that at least some users will have chosen weak or commonly used passwords.
What is the best solution to credential stuffing?
To prevent credential stuffing, implement multi-factor authentication (MFA) for all user accounts. This will add a critical second layer of security. Also, educate users on the importance of using unique passwords for each account to reduce the risk of successful attacks.
What is an example of credential stuffing?
Let’s say a hacker obtains a list of usernames and passwords from a data breach at one company, then uses automated software to try those credentials on a banking website, successfully accessing several user accounts. This unauthorized access allows the hacker to transfer funds and gather personal information from the compromised accounts.
How does credential stuffing impact a user?
Credential stuffing can lead to unauthorized access to users' accounts across multiple platforms, resulting in identity theft, financial loss, and personal data compromise. The user may also face the cumbersome process of securing compromised accounts and recovering stolen assets.
What is the difference between brute force and credential stuffing?
Credential stuffing is actually a specific type of brute force attack.
Brute force attacks attempt to gain access by systematically trying every possible password combination until the correct one is found, without relying on previously stolen data. Credential stuffing, specifically, involves using previously stolen username and password combinations to gain unauthorized access to user accounts across various services, exploiting the common practice of password reuse.
How do you detect credential stuffing?
eCommerce merchants can detect credential stuffing through a combination of fraud detection tools, including velocity checks, device fingerprinting tools, bot monitoring tools, and machine learning-based anomaly detection systems. When used in conjunction with each other, these systems can spot spikes in login attempts, suspicious login patterns, bot traffic, and unusual geolocation data, which are signs that a credential stuffing attack may be imminent.
What is the success rate of credential stuffing?
The success rate of a credential stuffing attack is roughly 0.1%. This means that a fraudster may succeed once for every 1,000 login attempts. While this may be draining to carry out manually, credential stuffing scammers can use scripts to automate their attacks, which means they can attempt hundreds of thousands or even millions of logins per second.
