Luke a Pro

Luke Sun

Developer & Marketer

đŸ‡ș🇩
EN|缀|çč
© 2015–2026 Luke Sun.
All rights reserved.

Credential Stuffing

Published: Sat Feb 01 2025 | Modified: Fri Feb 06 2026 , 3 minutes reading.

1. Definition

Credential Stuffing is a subset of brute force attacks where the attacker automates the injection of breached username/password pairs into a target application’s login form.

Unlike traditional brute force (guessing “password123”), this attack relies on the statistical fact that users reuse passwords across multiple services. If a user’s LinkedIn password leaks, attackers will “stuff” that same credential into banking, healthcare, or retail sites.

2. Technical Explanation

This is an Automated Threat (OAT-008).

  1. Source: Attackers acquire “Combolists” (dumps of email:password) from the dark web.
  2. Engine: Tools like Sentry MBA or custom scripts use proxies (residential IP networks) to bypass simple IP blocks.
  3. Execution: The bot tests credentials against the target.
  4. Success: Valid logins are separated into “Hits” and sold or used for fraud.

3. Attack Flow

flowchart TD
    Breach[Breached Site A] -->|Leak| DB[(Combolist Database)]
    DB --> Bot[Attack Botnet]
    
    Bot --"Try [email protected] / P@ss123"--> Target[Target Site B]
    
    Target --"200 OK (Login Success)"--> Bot
    
    Bot --> Hits[(Valid Accounts List)]
    Hits --> Takeover[Account Takeover / Fraud]
    
    Note right of Target: The user is legitimate,<br/>the password is correct.<br/>The system cannot tell it's a bot.

4. Real-World Case Study: 23andMe (2023)

Target: 23andMe (Genetic Testing Service). Vulnerability Class: Lack of Credential Stuffing Protection (2FA optional).

The Incident: In late 2023, attackers accessed the accounts of 6.9 million users. Crucially, 23andMe systems were not breached. Attackers used valid credentials leaked from other platforms to log in to 23andMe accounts that had reused passwords. Once inside, they scraped “DNA Relatives” data, effectively compromising the genetic privacy of millions who hadn’t even been the direct target of the login.

Impact: Massive privacy lawsuit. It highlighted that “User Error” (password reuse) is a System Problem if the platform doesn’t enforce MFA or detect stuffing.

5. Detailed Defense Strategies

A. Multi-Factor Authentication (MFA)

This is the “Silver Bullet”. Even if the attacker has the valid password from a breach, they cannot pass the SMS/TOTP challenge.

  • Best Practice: Enforce MFA for all users, or at least use “Adaptive MFA” (challenge only suspicious logins).

B. Breached Password Protection

Check passwords against known breach databases during login or registration.

  • Tool: Use the Have I Been Pwned (HIBP) API or similar services.
  • Mechanism: If a user tries to set (or log in with) a known compromised password, force a reset.
  • NIST Guideline: NIST 800-63B explicitly recommends checking against breach corpuses.

C. Device Fingerprinting & Behavior Analysis

Detect that the login is coming from a script.

  • Signals:
    • Headless Browser User-Agent.
    • Inconsistent IP Geolocation (Login from Russia 5 minutes after Login from USA).
    • Mouse movement telemetry (Bots move in straight lines or not at all).

6. References