How To Combat Credential Stuffing and ATO in iGaming

Explore the escalating threat of credential stuffing scams in the US iGaming industry and the measures taken to counter this cybercrime menace.

Nov 6, 2023 - 3 min.

The online gambling industry in the United States has experienced significant growth in recent years as more and more players use digital platforms to try their luck. However, this surge in popularity has not only attracted legitimate players, but also a growing number of cybercriminals. One widespread threat that has hit US online gambling sites hard is credential stuffing scams. In this blog, you will learn what credential stuffing is, why online gambling sites are particularly at risk, and what steps are being taken to combat this growing problem.

Understanding Credential Stuffing Fraud

Credential stuffing is a cybercrime technique in which cybercriminals use stolen usernames and passwords, often obtained from data breaches on other websites, to gain unauthorised access to various online accounts and to commit an account takeover. It is a widespread problem that affects various industries, but online gambling sites are particularly attractive targets because of the potential for financial gain. This is because, as has been proven in the past, over 70% of users reuse their passwords on multiple online platforms, allowing cybercriminals to access their accounts with minimal effort.

Impact of Credential Stuffing and Account Takeover in iGaming

iGaming, or online gambling, is a thriving industry, but it is not immune to the dangers of credential stuffing and account takeover (ATO). These two threats have market-wide consequences for the iGaming industry, from patrons all the way up to state regulators: 

  • Financial losses: A major concern with credential stuffing and ATO is the financial damage suffered by iGaming companies. Cybercriminals can withdraw money from patrons' accounts, place illegal bets or conduct monetary transactions that compromise the integrity of the game.
  • Loss of trust and reputational damage: In a hypercompetitive industry with rising customer acquisition costs - user experience and reputation are critical to maximizing lifetime value. When players discover that their accounts have been compromised or that money has been stolen, it's no wonder they lose trust. 
  • Player churn: The average player has 4 iGaming apps installed on their mobile device, and the most frictionless user experience wins every time. Customer churn can mean significant revenue losses for the affected company.
  • Regulatory issues: The iGaming industry is highly regulated, and security breaches can cause legal and regulatory problems. Companies could face fines or penalties if they fail to respond appropriately to security threats.
  • Player notification and redress: Following a security incident, iGaming companies often need to notify the affected players and provide redress if necessary. This can also involve financial and administrative burdens.

Why online gambling sites are vulnerable

  • Financial incentive: The main reason online gambling sites become the target of credential-stuffing attacks is the prospect of financial gain. Attackers use stolen credentials to gain access to user accounts and conduct fraudulent activities, such as placing unauthorized bets, withdrawing money or selling accounts.
  • High user traffic: Online gambling platforms often have a high volume of users, especially at peak times or during special events such as major sporting events or holidays. This high volume of users provides cybercriminals with numerous attack targets and makes it easier for them to blend in with legitimate users and carry out their attacks.
  • Lack of multi-factor authentication (MFA): While some online gambling sites have implemented robust security measures, many still rely solely on usernames, passwords and OTPs (one-time passwords) for account access. The lack of MFA makes it easier for attackers to gain unauthorised access with stolen credentials.
  • Monetisable assets: User accounts on gambling sites often contain valuable assets, such as funds in the form of deposits and winnings. Cybercriminals can exploit these assets for financial gain.

Combating credential stuffing in the online gambling industry

Online gambling sites do not remain idle regarding credential stuffing attacks. They are actively taking steps to protect their users and platforms from these threats:

  • Multi-Factor Authentication (MFA): Introducing MFA is an important step in improving security. MFA adds an extra layer of protection by requiring users to provide a second authentication factor besides their passwords, such as a unique code sent to their mobile devices.
  • Monitoring and anomaly detection: Gaming sites invest in sophisticated monitoring systems that detect unusual user behaviour and identify potential attempts to enter credentials. Suspicious activity can trigger alerts for further investigation.
  • Single Sign-On (SSO): This method allows users to log in to multiple related gaming platforms with a single set of credentials without having to log in multiple times. This makes it easier to use but requires strict security controls to rule out the likelihood of attackers successfully using stolen credentials.
  • Biometric authentication: This includes technologies such as fingerprint recognition, facial recognition and iris scans. Biometrics are unique and difficult to forge, making them a secure authentication option.
  • Adaptive authentication: This method analyses user behaviour and other factors to adjust the level of security. If suspicious behaviour is detected, an additional level of authentication can be activated.
  • Token-based authentication: Virtual tokens are used to confirm the user's identity. This can take the form of mobile phone-based tokens.


Credential stuffing is a growing problem in the online gambling industry. The lure of financial gain and the frequent reuse of passwords make online gambling sites a prime target for cybercriminals. However, the industry is not standing idly by and is taking proactive measures to combat this threat. By introducing multi-factor authentication, monitoring anomalies and educating users, online gambling sites are working to protect their platforms and their users' financial assets. As the industry continues to evolve, it is important to remain vigilant and adapt to the ever-changing cybersecurity landscape.


Download now