What Is Credential Stuffing?

In a credential stuffing attack, cybercriminals take advantage of weak and reused passwords. Automated bots will take a list of username/password pairs that have been exposed in data breaches and try them on other online accounts. If the user has the same credentials on multiple sites, this provides the attacker with unauthorized access to a legitimate user account.

Request a Demo

What Is Credential Stuffing?

Anatomy of Attack - How it Works

Credential stuffing attacks use large lists of username/password pairs that have been exposed. In some data breaches, improper credential storage results in the entire password database being leaked. In others, cybercriminals crack some users’ passwords via password guessing attacks. Credential stuffers can also gain access to usernames and passwords through phishing and similar attacks.

These lists of usernames and passwords are fed to a botnet, which uses them to try to log onto certain target sites. For example, the credentials breached by a travel website may be checked against a large banking institution. If any users reused the same credentials across both sites, then the attackers may be able to successfully log into their accounts.

After identifying valid username/password pairs, the cybercriminals may use them for a variety of different purposes, depending on the account in question. Some credentials may provide access to corporate environments and systems, while others may allow attackers to make purchases using the account owner’s bank account. A credential stuffing group may take advantage of this access themselves or sell it on to another party.

Credential Stuffing vs. Brute Force Attacks

Brute force password attacks are a general term that covers a few different specific attack techniques. In general, a brute force attack means that the attacker is just trying different combinations for a password until something works.

The term brute force attack is most commonly used to refer to an attack where the attacker is trying every possible option for a password. For example, a brute force attack on an eight character password may try aaaaaaaa, aaaaaaab, aaaaaaac, etc. While this approach is guaranteed to find the correct password eventually, it is slow to the point of being infeasible for a strong password.


Credential stuffing takes a different approach to guessing a user’s password. Instead of looking at all possible password combinations, it focuses on those that are known to have been used by a person because they were exposed in a breach. This approach to password guessing is much faster than a brute force search but it assumes that passwords will be reused across multiple sites. However, since most people reuse the same password for multiple sites, this is a safe assumption to make.

How to Prevent Credential Stuffing

Credential stuffing presents a serious risk to both personal and corporate security. A successful credential stuffing attack gives the attacker access to the user’s account, which may contain sensitive information or the ability to perform financial transactions or other privileged actions on the user’s behalf. However, despite the well-publicized threat of password reuse, most people are not changing their password behaviors.


Credential stuffing can also put the enterprise at risk if passwords are reused across personal and business accounts. Companies can take a few different steps to mitigate the risk of credential stuffing attacks, including:

  • Multi-Factor Authentication (MFA): Credential stuffing attacks rely on the attacker’s ability to log into an account with just a username and password. Implementing MFA or 2FA makes these attacks more difficult because the attacker also needs a one-time code to log in successfully.
  • CAPTCHA: Credential stuffing attacks are typically automated. Implementing CAPTCHA on login pages can block some of this automated traffic from reaching the site and testing potential passwords.
  • Anti-Bot Solutions: Beyond CAPTCHA, organizations can also deploy anti-bot solutions to block credential stuffing traffic. These solutions use behavioral anomalies to differentiate human and automated visitors to a site and to block suspicious traffic.
  • Website Traffic Monitoring: A credential stuffing attack involves a massive volume of failed login attempts. Monitoring traffic to login pages may allow an organization to block or throttle these attacks.
  • Checking Breached Credentials: Credential stuffing bots typically use lists of credentials exposed in data breaches. Checking user passwords against lists of weak passwords or services like HaveIBeenPwned can help to determine if a user’s password is potentially vulnerable to credential stuffing.

Prevent Credential Stuffing with Harmony Browse

Check Point’s Harmony Browse protect against credential stuffing in a couple of different ways, including:


  • Blocking Password Reuse: When an employee is creating a new password on a website, Harmony Browse checks to see if they have used the same password for other accounts. By blocking password reuse, Harmony Browse reduces the threat of credential stuffing attacks.
  • Protecting User Credentials: The lists used in credential stuffing attacks often include credentials stolen using phishing attacks. Harmony Browse blocks zero-day phishing sites designed to steal these credentials.


To see Harmony Browse in action, check out this video.

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.