OWASP Automated Threats

Mass log in attempts used to verify the validity of stolen username/password pairs.

What is Credential Stuffing?

Lists of authentication credentials stolen from elsewhere are tested against the application’s authentication mechanisms to identify whether users have re-used the same login credentials. The stolen usernames (often email addresses) and password pairs could have been sourced directly from another application by the attacker, purchased in a criminal marketplace, or obtained from publicly available breach data dumps.

Unlike OAT-007 Credential Cracking, Credential Stuffing does not involve any brute forcing or guessing of values; instead, credentials used in other applications are being tested for validity.

Credential stuffing is also known by terms such as account checker attack, account checking, account takeover, account takeover attack, login stuffing, password list attack, password re-use, stolen credentials, use of stolen credentials.


The symptoms of Credential Stuffing

  • 1
    Sequential login attempts with different credentials from the same HTTP client (based on IP, User Agent, device, fingerprint, patterns in HTTP headers, etc.)
  • 2
    High number of failed login attempts
  • 3
    Increased customer complaints of account hijacking through help center or social media outlets


Sectors targeted by Credential Stuffing

  • Entertainment
  • Financial
  • Government
  • Retail
  • Social Networking


Can InfiSecure prevent Credential Stuffing?

InfiSecure blocks credential stuffing attempts in real-time. InfiSecure can block the most advanced bots trying to engage in credential stuffing. InfiSecure uses bot fingerprinting technology to identify and restrict automated usage by fingerprinting the User Agent for its unique characteristics and puts rate limits to the number of authentication attempts (success or failure) per session/user / IP address/device / fingerprint.