Remote Access

What Are Credential Stuffing Attacks?

Using CloudConnexa to Mitigate Credential Stuffing and Other Brute Force Attacks

C redential stuffing attacks are growing in popularity — with hackers, anyway; not the businesses targeted. In late December, Help Net Security reported there were more than two billion credential stuffing attacks in the previous 12 months, a 98 percent year-over-year increase. The infosec site predicted attacks would peak during the holiday shopping season with as many as eight million attacks daily while consumers took advantage of e-commerce deals. 

When it comes to protecting your business against data breaches, knowledge is power.

Then, just in time for the holidays, password manager LastPass faced a potential breach — similar to the one it experienced in August 2019 — when users received unauthorized login attempt notifications. Fortunately, in a statement to The Verge, LastPass said, “We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing…” 

When it comes to protecting your business against data breaches, knowledge is power. This article will look at what credential stuffing attacks are, why they’re so popular with criminals, and how you can use OpenVPN Cloud to block unauthorized access to your company’s network. 

What is Credential Stuffing?

Open Web Application Security Project (OWASP) defines credential stuffing as, “the automated injection of stolen username and password pairs (“credentials”) in to website login forms, in order to fraudulently gain access to user accounts.” This tactic is considered a type of brute force attack that specifically uses known username and password combinations on multiple websites. Users often reuse login credentials across personal and business accounts, so if bad actors get one set, possibly through phishing, they can be used to access other sites.

How Credential Stuffing Works

That’s what credential stuffing is, but how does it work? In general it plays out in two phases. In the first phase the attacker:

  1. Gets usernames and passwords from a website breach, phishing attack, password dump site, or the dark web.
  2. Uses automation tools to test stolen credentials against a large number of websites.
  3. Successfully logs in to a site, confirming the stolen credentials are valid. 

With the successful login complete, and the stolen, valid set of credentials in hand, the attacker can proceed to: 

  1. Empty funds from an account — or make purchases against a line of credit. 
  2. Access sensitive data (e.g., intellectual property, credit card numbers, private messages).
  3. Take over user accounts to send phishing messages or spam.
  4. Sell the valid credentials to other cybercriminals for use in other cyberattacks.

The Numbers: Credential Stuffing Statistics

The popularity and impact of these attacks is supported by the numbers. The 2021 Verizon Data Breach Investigations Report, reports that 61% of breaches involved credentials. Personal data, a distant second, was used in 40% of breaches. 

Why do so many attacks involve user credentials? Because they’re easy to execute, the success rate is high, and it takes a while for victims to realize they’ve been breached. According to the 2021 Credential Stuffing Report, “Organizations remain weak at detecting and discovering intrusions and data exfiltration. Median time to discovering a credential spill between 2018 and 2020 was 120 days; the average time to discovery was 327 days. Often spills are discovered on the dark web before organizations detect or disclose a breach.” 

"Online criminals can generate profits with just one successful compromised account."

Arkose Labs CEO Kevin Gosschalk

As Arkose Labs CEO Kevin Gosschalk points out, the ROI is another factor: “It’s become an enormous concern to online businesses and is fast overtaking other well known attack tactics, such as ransomware, as THE cyber attack to watch out for … online criminals can generate profits with just one successful compromised account.” That one successful account takeover may be an employee’s personal account, but password reuse is common, so work accounts can be at risk, too. Many employees sign up for third-party accounts/services with their work emails. If these companies are subsequently breached and the email/password combos end up on the dark web, attackers could also use them to probe for access to corporate accounts.

How to Detect Credential Stuffing 

Lucian Constantin, Senior Writer at CSO, explains that, “Credential stuffing attacks are launched through botnets and automated tools that support the use of proxies that distribute the rogue requests across different IP addresses. Furthermore, attackers often configure their tools to mimic legitimate user agents — the headers that identify the browsers and operating systems web requests are made from.” This is why phishing and stolen credentials are so intertwined. It’s also why it’s so difficult to distinguish legitimate login attempts by legitimate users from fraudulent login requests. 

Ideally you can avoid an attack rather than finding out one is underway.

Your best bet for identifying a credential stuffing attack, according to Constantin, is “an increase in the login failure rate over a short period of time.” Ideally you can avoid an attack rather than finding out one is underway. But what proactive steps can network administrators take to protect users and assets?

How to Prevent Credential Stuffing

Strong passwords — and unique passwords for various online accounts — is a basic building block of cybersecurity and helps reduce vulnerabilities in general. Reminding employees of this, and the need to update passwords regularly, is critical. 

Beyond password hygiene, the OWASP Credential Stuffing Prevention Cheat Sheet lists multi-factor authentication (MFA) as the best cybersecurity tool for preventing credential stuffing attacks. In fact, a Microsoft analysis suggests MFA could have stopped 99.9% of compromises. 

By default, capability for certificate-based authentication, credential-based authentication, and time-limited token-based authentication is built into CloudConnexa. Step-by-step CloudConnexa MFA setup instructions are available here

Good to Know: What’s the difference between MFA and 2FA (two-factor authentication)? MFA requires two or more factors of authentication. 2FA, on the other hand, requires exactly two factors of authentication.

Cyber Shield, a built-in feature of CloudConnexa, provides additional protection against credential theft with: 

Built-in IDS/IPS: Activate and automate Traffic Filtering for reliable protection against malware and ransomware, denial of service, phishing, known threats, and vulnerabilities/exploits that may be overlooked by other security layers or solutions.

Customizable, Pre-emptive DNS Filtering: DNS Content Filtering protects users from malicious or undesirable content, even when traffic isn’t carried by the VPN. Admins can also filter domains using a customizable Allowed List and Blocked List and Content Category DNS Blocking to block site domain name resolutions that fall into preset content categories.

DNS Filter and Traffic Reporting and Dashboards: Traffic Reporting offers detailed statistics on traffic threats (malware, intrusion, DOS) as well as the device of origin. Gain insights from detailed DNS Filter Reporting (exportable to CSV) on observed and blocked domain name queries from users.


Personal accounts are the primary target of credential stuffing attacks, but the ripple effect has the potential to impact business accounts, too. Humans make mistakes, and cybercriminals are always ready to take advantage of those mistakes. That’s why it’s important to continually educate employees about cybersecurity best practices, and to have a layered security approach. If you’re ready to reinforce your organization’s security posture, get started with three free CloudConnexa connections today. 

Share this story: