Credential stuffing

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application[1]. Unlike credential cracking, credential stuffing attacks do not attempt to brute force or guess any passwords - the attacker simply automates the logins for thousands to millions of previously discovered credential pairs using standard web automation tools like Selenium, CURL, PhantomJS or tools designed specifically for these types of attacks like Sentry MBA[2]

Credential Stuffing attacks are made possible because many users will reuse the same password across many sites with one survey reporting that 81% of users have reused a password across 2 or more sites and 25% of users use the same password across a majority of their accounts[3].

Credential spills[edit]

Credential stuffing attacks are considered among the top threats for web and mobile applications as a result of the volume of credential spills. More than 3 billion credentials were spilled through online data breaches in 2016 alone.[4]


The term was coined by Sumit Agarwal, co-founder of Shape Security, who was serving as Deputy Assistant Secretary of Defense at the Pentagon at the time.[5]


On the 20 August, 2018 Superdrug of the UK was targeted with an attempted blackmail, evidence was provided claiming to show that hackers had penetrated the site and download 20,000 users records. The evidence was most likely obtained from hacks and spillages and then used as the source for Credential Stuffing attacks to glean information to create the bogus evidence.[6][7]

See Also[edit]


  1. ^ "Credential Stuffing". OWASP. 
  2. ^ "Credential Spill Report" (PDF). Shape Security. January 2017. p. 23. The most popular credential stuffing tool, Sentry MBA, uses “config” files for target websites that contain all the login sequence logic needed to automate login attempts 
  3. ^ "Wake-Up Call on Users' Poor Password Habits" (PDF). SecureAuth. July 2017. 
  4. ^ Chickowski, Ericka (January 17, 2017). "Credential-Stuffing Attacks Take Enterprise Systems By Storm". DarkReading. Retrieved February 19, 2017. 
  5. ^ Townsend, Kevin (January 17, 2017). "Credential Stuffing: a Successful and Growing Attack Methodology". Security Week. Retrieved February 19, 2017. 
  6. ^ "Super-mugs: Hackers claim to have snatched 20k customer records from Brit biz Superdrug". 
  7. ^ "Superdrug Rebuffs Super Ransom After Supposed Super Heist - Finance Crypto Community". 23 August 2018. 

External Links[edit]