Credential stuffing is a cyberattack in which exposed usernames and passwords are used to gain fraudulent access to user accounts through large-scale, automated login requests. High account usage, password reuse, and vast volumes of breached credentials on the dark web create the perfect storm for cybercriminals to carry out credential stuffing campaigns, while tactics used by malicious actors make identifying and preventing credential stuffing attempts a significant challenge for organizations.
Adding to pressures is the fact that attackers purposely disguise credential stuffing to make fraudulent access attempts appear legitimate and escape detection. “Credential stuffing attacks are emulating the sorts of requests that a legitimate user would make,” Troy Hunt, security researcher and founder of data breach notification service Have I Been Pwned, tells CSO. “Attackers are asking: What does it look like to make a legitimate request? How can we emulate that? Where it starts to get really interesting is when we look at the combativeness between defenders and attackers.”