Credential StuffingWhat is This Type of Brute-Force Attack & How Does it Affect You?

February 12, 2024 | 13 min read

This image was created by artificial intelligence using the following prompts:

Usernames and passwords being entered into a website, trying to break in, include "username" and "password", in the style of red and teal.

Credential Stuffing

In a Nutshell

In a credential stuffing attack, hackers use stolen usernames and passwords from one site to try to get into accounts on other sites. These stolen login details are dangerous to everyone involved in the payment process. Here's what you can do to lower the risk.

What Cardholders & Merchants Should Know to Prevent Credential Stuffing Attacks

Credential stuffing attacks are a leading cause of data breaches today, mainly because 64% of people tend to use the same password for multiple, if not all, of their accounts. 

The chance for hackers to succeed with credential stuffing is on the rise as more and more stolen credentials become available through data breaches. Right now, there are literally billions of these compromised login details floating around on the dark web.

However, it's entirely possible to stop credential stuffing attacks by putting the right cybersecurity strategies in place. Executives should be aware of what credential stuffing entails and what steps can be taken to lower the chances of their organizations falling prey to these attacks.

What is Credential Stuffing?

Credential Stuffing

[noun]/krə • dent • SHəl • stəf • iNG/

Credential stuffing is a brute force fraud tactic that involves using bots to automatically attempt to enter stolen username and password pairs into a web form. The term “credential stuffing” refers to the fact that bots can attempt hundreds of sets of login credentials per minute until they find a match.

Credential stuffing is a type of cyberattack. Hackers use stolen usernames and passwords from one source to gain unauthorized access to accounts at another site. These stolen credentials are often obtained from past data breaches or bought from hidden markets on the internet.

To illustrate, picture a thief with a massive ring of keys, who is trying to get through a locked door. The thief tries each key to see which one opens the door. Credential stuffing is basically the digital version of this.

Credential Stuffing

How Does Credential Stuffing Work?

In this process, the hacker uses automated programs to rapidly test these stolen login details across numerous websites. This method works because many people reuse their passwords across multiple sites. If the hacker finds a match, they can enter accounts, steal sensitive information, or cause other harm.

So, how exactly do they do it? Well, here’s how credential stuffing happens, step by step:

Step #1 | Gathering Stolen Information

The first step for a hacker is to collect lots of usernames and passwords, usually from past security breaches. These stolen details can be bought in bulk on the dark web, in various chat forums or by other means.

Step #2 | Preparing the Attack

Once they have these credentials, hackers organize them, often selecting the most likely to succeed for their attempts. This can be done manually, or credentials can be sorted using an automated process.

Step #3 | Automating Login Attempts

Hackers then use specialized software to automatically enter the stolen usernames and passwords on a wide range of websites. This software can test thousands of logins across multiple sites in a matter of seconds.

Step #4 | Gaining Unauthorized Access

If (or inevitably when) the bot finds a login that works, the hacker can then get into that account. They might look for personal information, make unauthorized purchases, or use the account in other harmful ways.

Is Credential Stuffing Effective?

When you look at the numbers, credential stuffing might not seem like a very effective tactic. This is because a lot of the credentials attempted might be out of date or mismatched for the account in question. All totaled, only about 0.1% of credential pairs will work; that’s just one in every 1,000 login attempts. 

Here's the catch, though: bots can carry out these attacks super fast. One script can try millions of different username and password combos on multiple sites with little effort. Even with a 0.1% success rate, that’s still thousands of compromised accounts per attack.

So, even if it doesn't always work, credential stuffing is still a big problem because of how easy and cheap it is for hackers to keep trying until they get lucky. Plus, many people use the same password for multiple accounts. If a hacker can compromise one account, they have a solid lead on how to compromise additional accounts held by that user.

What Can Scammers Do With Compromised Accounts?

After breaking into an account, hackers might use it immediately for malicious purposes, or file away the information and save it to conduct fraud later. They can also sell the access they've gained to others in dark web markets.

Common examples include:

Selling Compromised Account Access

Selling Compromised Account Access

This often targets media streaming services like Disney+, Netflix, and Spotify, where hackers sell access to these accounts for a fraction of the official subscription price.

eCommerce Fraud

eCommerce Fraud

Impersonating legitimate users, hackers can place orders for high-value items on retail websites. Retailers are especially prone to this form of attack, making it a lucrative avenue for identity theft

Corporate & Institutional Espionage

Corporate & Institutional Espionage

If a hacker hijacks an employee or admin account, they can access a wealth of sensitive information, including credit card and social security numbers, which can then be sold

That's why it's really important for businesses to require both customers and employees to use strong, unique passwords for every account. They should also deploy extra security steps, like two-factor authentication, whenever possible. It makes it a lot harder for hackers to get in and protects everyone's information better.

Real-Word Examples of Credential Stuffing

Credential stuffing attacks have become so routine that there's actually a going rate for hacked accounts; a kind of twisted online marketplace, based around supply and demand.

The price tag on these stolen accounts depends on how much they're worth. So, credentials for financial accounts (banks, PayPal, Western Union, etc.) might sell for anywhere from $30 to $120. Plus, hackers are coming up with new ways to break into systems every day, and it seems like each attacker is more clever than the last. 

Here are a few recent, real-world stories that illustrate just how big a problem this can be:

New York Attorney General

The office of the New York Attorney General uncovered one million exposed accounts in a 2022 credential stuffing probe, involving credentials for customer accounts at 17 well-known companies. Targeted sectors included online retailers, restaurant chains, and food delivery services.

Credential Stuffing
A screenshot of an apparent post from dark web marketplace RaidForums, where a user was selling valid customer credentials

Canada Revenue
& GCKey

According to CBC Canada, the Canada Revenue Agency found out that, out of about 12 million GCKey accounts, 9,041 were hacked using credential stuffing. They had to shut down their online services for a bit to deal with it.


A recent PayPal breach impacted 35,000 accounts. The company has thus far not identified any unauthorized transactions. However, it was reported that the attack may have been carried out to use those thousands of compromised accounts in other schemes.

US Banks

ZDNet shared info from an FBI warning that said hackers used stolen login info to make fake check withdrawals and electronic transfers from a US bank between January and August 2020. They managed to steal more than $3.5 million in this attack.

Credential Stuffing
If you operate an online business, you’re vulnerable to credential stuffing attacks. Learn how to keep your business safe.REQUEST A DEMO

These are some high-profile cases, but small-scale attacks happen every day. Retail accounts are hot items, for instance. Someone might pay around $30 for access to a compromised Amazon account.

Social media accounts are in demand, too. They can be used for all sorts of shady activity, from fake promotion campaigns (called “astroturfing”) to tricking someone's contacts into downloading harmful software. Prices vary by platform: a Facebook account might go for $65, Instagram for $45, and Gmail for a solid $80.

“Red Flags” of Credential Stuffing

There are some clear warning signs for which everyone should be on the lookout here. Catching these hints early can really save a lot of trouble for businesses and their customers.

  • Weird Login Attempts: Getting messages about someone trying to log in or reset passwords, despite not having actually done this.
  • Repeated Account Locks: If an account keeps getting locked because of too many login attempts, it may be someone repeatedly testing multiple passwords.
  • Strange Account Activity: Orders or credential changes that no authorized user made.
  • Failed Logins: Getting a bunch of notices about login attempts from places or devices you don't recognize.
  • New Device or Location Warnings: Alerts about new devices in unusual locations accessing the account.
  • Unexpected Emails or Messages: Receiving emails or messages regarding activity that no authorized user recognizes.
  • Lots of Logins Attempts from One Place: Seeing many login tries, using different credentials, all from just one IP address.
  • Customers Complaints: Customers reporting weird account activity or lock outs might mean a widespread attack on many accounts.

Spotting these signs early can help prevent bad actors from doing serious damage.

Businesses can use tools to watch for odd login patterns or set up challenges like CAPTCHAs to stop automated hacking attempts. Users can also make it tougher for hackers by using different passwords for different sites and turning on extra security steps, like getting a code on your phone whenever possible.

How to Prevent Credential Stuffing

No one wants to feel at risk online, regardless whether you’re a cardholder looking to keep your personal information safe or a business trying to prevent cyberattacks. This is why merchants and their customers should work together to address the vulnerabilities that lead to credential stuffing. 

Here's how both card users and businesses can beef up their defenses and make it tougher for these cyber intruders:

Credential Stuffing Prevention Tips For Card Users 

Tip for Card Users Create Unique Passwords for Every Account: You wouldn't use the same key for your house, car, and office. So, don't use the same password for multiple accounts. If a hacker gets one password, they'll try it on all your accounts. Mixing it up keeps you safer.
Tip for Card Users Use a Password Manager: Remembering a different password for each site can be a headache. That's where password managers come in. They're like secure digital vaults that create and remember strong, unique passwords, so you only need to remember one master password.
Tip for Card Users Enable Multi-Factor Authentication (MFA): Adding an extra step to your login process might sound annoying, but it's a strong protection. Even if a hacker has your password, they won't have the special code that's sent to your phone or email, making it much harder for them to get into your accounts.
Tip for Card Users Be Smart About Emails: Hackers are tricky. They can make fake emails look real, tricking you into giving away your passwords. Always double-check before clicking on links or sharing personal info. If an email asks you to log in or confirm your details, go directly to the website instead of clicking on the link.
Tip for Card Users Regularly Check Your Accounts: Keep an eye on your account activity. If you see anything weird, like orders you didn't make or messages you didn't send, it could mean a hacker got in. Catching and reporting these early can help stop the hacker in their tracks.

Credential Stuffing Prevention Tips For Businesses

Tip for Business Enforce Strong Password Policies: Encourage your customers to use strong passwords by requiring a mix of letters, numbers, and special characters. You can also require them to change passwords regularly.
Tip for Business Educate Your Customers: Share tips and best practices for creating strong passwords and the dangers of reusing passwords. You could do this through emails, pop-up tips on your website, and social media posts.
Tip for Business Adopt Advanced Security Measures: Consider using biometrics or behavioral analytics (looking at how a user typically behaves). These can add another layer of security that's hard for hackers to fake.
Tip for Business Monitor for Suspicious Activity: Use security software to keep an eye out for suspicious activity, like a ton of login attempts in a short time coming from the same place, or users trying lots of different usernames and passwords.
Tip for Business Challenge Suspicious Logins: Implement CAPTCHA challenges for login attempts that seem automated. It's a simple way to weed out bots since they usually can't solve CAPTCHAs like a human can.
Tip for Business Limit Login Attempts: By locking an account or slowing down login attempts after a few failures, you make it way harder for automated tools to guess passwords by trial and error.
Tip for Business Block Sketchy Traffic: If you notice a lot of malicious attempts coming from certain places, you can block those IP addresses. It's not a perfect solution since IPs can be masked or changed, but it can cut down on a lot of unwanted traffic.

Remember: even when fraud attacks do occur, consumers have some protection in the form of credit card chargebacks. This means the bank can reverse suspect transactions and re-credit the customer's account. 

That’s good news for cardholders… but not so much for merchants, who end up bearing the financial burden.

Thankfully, help is available. Chargebacks911® offers a comprehensive solution to help you protect your business and keep your chargeback ratio low. Don't let chargebacks undermine your success. Take action today to secure your operations and reputation.


What is the difference between credential stuffing and password spraying?

Credential stuffing attacks use stolen account credentials (usernames and passwords) obtained from previous data breaches to attempt to log into other websites or services.

Password spraying, on the other hand, takes a different approach. Instead of using a list of known password combinations, attackers select a common password (such as "Password123" or "Spring2020") and attempt to log in to many different accounts with it. This method relies on the statistical likelihood that at least some users will have chosen weak or commonly used passwords.

What is the best solution to credential stuffing?

To prevent credential stuffing, implement multi-factor authentication (MFA) for all user accounts. This will add a critical second layer of security. Also, educate users on the importance of using unique passwords for each account to reduce the risk of successful attacks.

What is an example of credential stuffing?

Let’s say a hacker obtains a list of usernames and passwords from a data breach at one company, then uses automated software to try those credentials on a banking website, successfully accessing several user accounts. This unauthorized access allows the hacker to transfer funds and gather personal information from the compromised accounts.

How does credential stuffing impact a user?

Credential stuffing can lead to unauthorized access to users' accounts across multiple platforms, resulting in identity theft, financial loss, and personal data compromise. The user may also face the cumbersome process of securing compromised accounts and recovering stolen assets.

What is the difference between brute force and credential stuffing?

Credential stuffing is actually a specific type of brute force attack.

Brute force attacks attempt to gain access by systematically trying every possible password combination until the correct one is found, without relying on previously stolen data. Credential stuffing, specifically, involves using previously stolen username and password combinations to gain unauthorized access to user accounts across various services, exploiting the common practice of password reuse.

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
Please share a few details and we'll connect with you!
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form
Embed code has been copied to clipboard