CREDENTIAL STUFFING

AKA Account Takeover, Brute Force Attack, Credential Testing, Account Hijacking, Password Checking, Password List Attack

Credential stuffing occurs when a criminal tests large numbers of compromised credentials (i.e., usernames and passwords breached from another site) against your login application.

Shape defeats credential stuffing at multiple levels

Shape finds compromised credentials in real-time, identifies botnets, and blocks simulation software.

Case Study: Top Mobile App Defeats ATOs

Key points

  • Credential stuffing attacks made up 80% of all login traffic
  • CDN-provider only able to prevent one-fifth of attacks
  • Shape eliminated all attacks, reducing site latency from 250 ms to 100 ms
1.4 BILLION
SHAPE PROTECTS OVER 1.4 BILLION ONLINE ACCOUNTS FROM CREDENTIAL STUFFING ATTACKS.

Credential Stuffing Requires Three Elements

1. Breached Credentials

On average, one million usernames and passwords are reported spilled or stolen every day. Attackers acquire credentials in many ways, from discovering misconfigured databases to infecting users’ devices with malware.

According to Shape analysis, 0.5%-2% of any breached credential list will be valid on a targeted website or mobile app.
2. Distributed Botnet

Attackers route their login requests through proxy servers to avoid IP blacklists and other forms of detection. Criminals can purchase access to proxy services from bot herders on dark web forums for $2-$8 per hour.

Across Shape’s customer network, an IP address is typically used just two times per credential stuffing attack.
3. Simulation Software

Finally, attackers use bots, or computer programs, to automatically test the list of breached credentials. Attackers often purchase toolkits on the dark web, such as CAPTCHA solvers or anti-fingerprinting scripts, to help counteract existing defenses.

Credential Stuffing using Python & Selenium
VP of Shape Intelligence demonstrates techniques attackers leverage to imitate users.
Watch the full video

Latest Research

AUTOMATING CYBERCRIME WITH SENTRY MBA
Brief
An original research brief on the attack tool Sentry MBA, a free click-and-point tool designed specifically for credential stuffing attacks.
View Brief
CAPTCHA
Tough on Humans
Easy on Bots
Blog
Learn how attackers defeat Google’s Invisible CAPTCHA via an API.
View Blog
Credential Stuffing Using Headless Browsers
Video
In this 13 minute video, learn how attackers use headless browsers like PhantomJS to bypass security and fraud detection.
Watch Video

Ready to Stop Credential Stuffing?

Fill out the form to start trying Shape.