What Is Credential Stuffing? How Can Companies Protect Themselves?

Credential stuffing attacks are on the rise. The following protection measures have already proven effective and offer reliable safeguards.

Feb 7, 2022 - 3 min.
Picture of: Sebastian Ulbert
Sebastian Ulbert

The mention of the word “stuffing” on its own usually causes joyful anticipation, particularly when referring to a culinary filling and in association with other delicacies. “Stuffing”, however, has a rather less savoury connotation when used in conjunction with “credentials”. The phrase “credential stuffing” describes a scam tactic that is extremely popular among cybercriminals. In 2021 alone, credential stuffing accounted for five per cent of the data traffic in the network at Arkose Labs, which uses AI to detect fraud attempts. But what exactly is behind this widespread method of attack? And how can companies use modern customer identity and access management solutions to avert these kinds of attacks? 

Credential stuffing involves automatically trying out combinations of usernames and passwords with various online services. This type of cyber-attack has exploded in popularity since 2019 in the wake of major data leaks and thefts from providers such as Equifax, LinkedIn or Marriott that netted countless data records for criminals. It is compounded by the fact that 44 per cent of German consumers use their passwords not just for one account but for multiple accounts, as the Nevis Security Barometer reveals. This means that a single leaked password can become a master key to other accounts with other providers. 

It, therefore, comes as no surprise that credential stuffing is so popular among cybercriminals. In the first six months of 2021 alone, the Arkose Labs network uncovered 285 million credential-stuffing attacks. This means that credential stuffing accounted for 29 per cent of all attacks – and that as many as one in every 20 logins may be an attempted attack.

What makes credential stuffing so popular – and so dangerous? 

Ease of use and a high success rate are what make credential stuffing such an attractive method of attack for criminals. They can convert just one compromised account into hard cash. Experts put the success rate at between 0.5 and 3 per cent. Credential stuffing attacks negatively influence the customer experience of online services or shops not only in terms of security. Since they occur suddenly and on a large scale, they also overload the servers of website operators. 

After mounting a successful credential-stuffing attack, cybercriminals can take control of things such as peoples’ bank accounts and transfer money to compromised accounts or even launder illicit funds. What’s more, lists of verified user credentials can be sold for profit. 

For companies, the damage inflicted goes beyond the immediate revenue losses. They can also be exposed to financial losses due to higher operating costs, reputational damage and even penalties and fines for breaches of statutory data protection regulations. 

Protection measure number 1: a biometric identification

Looking at the reasons mentioned above, we can expect credential stuffing to remain a popular method among criminals seeking to capitalise on their attacks in the future. Despite this, there are a number of effective countermeasures that providers of online services can take when requiring their customers to create logins and store their credentials. 

One way to thwart credential stuffing is by using biometric features during user authentication. Along with improved security, this offers an added benefit. Unlike conventional methods, users do not need to remember and enter complicated sequences of characters, which can be especially awkward and inconvenient on mobile devices. After all, there is a reason why people often use a simple password, sometimes across multiple accounts.

Biometric identification consigns passwords to history and eliminates them as a risk factor. They have been replaced by biometric processes such as iris scanning, facial recognition and fingerprint scans. These are all features that are unique to each individual and are virtually tamper-proof. An added practical benefit for users is that they always have their identification factor with them and that verification on modern mobile devices takes only a few seconds. Modern customer identity and access management solutions for handling customer profiles and identity data should always offer the possibility of biometric identification.

Protection measure number 2: multi-factor authentication

Combining biometric procedures with additional factors for verifying identity as part of multi-factor authentication (MFA) solution further enhances the level of security. Multi-factor authentication requires two – which is referred to as two-factor authentication (2FA) – or more factors to verify a user’s identity. These factors can be based on something the user knows (such as a password), the user’s biometric features (such as an iris or fingerprint scan) or something in the user’s possession (such as a specific smartphone). 

Cybercriminals who are trying to use stolen credentials generally only have one factor: the password. This makes multi-factor authentication an effective method of stopping them in their tracks. Passwordless methods based on the FIDO standard and biometric features offer enhanced protection. A CIAM solution combines all of these possibilities. 

Investments in this type of CIAM system definitely make sense because they amount to a fraction of the costs that a successful credential-stuffing attack would entail.


What is CIAM?