Recommended articles
Social share
Want to keep learning?
Sign up to receive security learning articles from Verified Visitors
The information you provide to Verified Visitors is governed by the terms of our Privacy Policy
Credential stuffing bots attempt to log in to user accounts using stolen passwords and username credentials obtained from previous data breaches and phishing attacks. Credential stuffing relies on the fact that many users don’t change their Internet passwords.
If successful, they can gain unauthorized access to user accounts, leading to a data breach, identity theft, fraud, and the loss of sensitive information. In December 2023 DNA site 23andMe revealed that hackers used credential-stuffing tactics to crack open 14,000 accounts, but then revealed the hackers exploited these 14,000 accounts to compromise 6.9 milion accounts, many of whom had DNA data along with their personal details. This is perhaps the most egregious example of a total privacy failure at every level.
Credential stuffing is part of a dark web “supply’ chain that uses bots and social engineering to compromise accounts with stolen credentials. Phishing attacks and previous data breaches supply billions of potential username and password combinations, which are then verified and tested in credential stuffing attacks.
How to Detect Credential Stuffing
Credential stuffing is hard to detect using conventional methods, and many sites just don’t monitor their account login pass / fail ratios. Even if they do, they are subject to continual credential stuffing attacks, which distorts the analytics.
Login Fail / Pass Ratio Analysis
Let’s take an “average" general success ratio of Login pass to login failure rate sitting at 70%. This means that 30% of the time, your visitors fail to login. This of course, can happen for many reasons including:
- Incorrect password or username
- Forgotten password or username
- Formatting issue, wrong special character, all caps locked etc
- Login times out
- Multiple credentials tried eg. three strikes
- Account issues, out of date credentials
- Fails CAPTCHA
- Fails 2FA
Hiding in all these, is the deliberate attempt of the credential stuffers, to try their username and password combinations to see if the login credentials are valid. A sudden spike in the ratio is obviously a cause for concern, but it’s still hard to know what is causing the spike itself. Credential stuffing attacks are often specifically designed to hide amongst the legitimate visitors hitting your website or API endpoints.
Login Fail / Pass Ratio Analysis per Industry
Most sites will use the ratio of logins to failures as a key metric to identify possible account take-over attempts. Login success ratios are highly dependent on the industry and platform. Accounts that are frequently accessed with higher levels of 2FA such as banks have much higher pass / to fail ratios. Bank clients don’t tend to forget their credentials, and take much more care in logging in, despite the additional security measures they have to take, than a general retail login.
Relying on ratio analysis isn’t going to help. Credential stuffing attacks rely on bots. They need large volumes of password and username pairs to be able to get lucky with a combination that works.
Stop the bots, stop the credential stuffing.
VerifiedVisitors has state-of-the-art bot detection at the network edge, which means we pickup, detect and stop the bots from accessing login paths before they can do any harm.
The bot detection captures the login paths, and detects bots attempting to login. You can then simply test a blocking, CAPTCHA or challenge page rule, to stop the bot, or run additional verification checks on the bot. The rule dynamically adapts to protect the login paths despite any change in attack platform, proxy, signature, IP rotation, country rotation, user agent change, or any other attempt to hide as legitimate traffic. Now the login paths are clean from bots, a definitive login ratio can be established, and alerts set up for any large changes in the login ratio, that may be an early indication something isn’t quite right in the entire login process. Account testing bots, or periodic account testing bots can be defined as custom bots and whitelisted.
