Credential Stuffing Threats
To Web And Mobile Applications

Shape defends against increasingly sophisticated automated cyberattacks

Credential Stuffing Defense

Credential Stuffing is the use of automation to test usernames and passwords stolen from one site on other sites with the intent of taking over a large set of accounts en masse.

For example, cybercriminals targeted the gift card program of a Fortune 500 retailer, stealing tens of millions of dollars from the company and its customers. Attackers used credentials spilled from other website breaches to hijack customer accounts and steal funds from gift cards. Fraudulent login attempts exceeded a million per day and made up over 90% of the traffic to the login URL. Traditional defenses, like web application firewalls, intrusion detection and prevention services, and fraud analytics, failed to prevent these ongoing automated attacks. The Fortune 500 retailer deployed the Shape solution and completely eliminated account hijackings.

Shape defends against increasingly sophisticated automated cyber attacks, such as credential stuffing, that employ advanced techniques and evade traditional security solutions. Automated attacks on web and mobile applications are responsible for millions of dollars in fraud losses per day for the leading airlines, banks, retailers, healthcare organizations and government agencies.

Credential Stuffing is an OWASP Top 20 Threat

The Open Web Application Security Project (OWASP) is a worldwide non-profit organization focused on improving the security of software. The OWASP Top 20 represents the most critical automated threats.


Credential Stuffing (OAT-008)

Threat Mechanism: 

Large scale automated attacks test lists of stolen credentials to check for re-use of login credentials. Username and password pairs are tested against website and mobile app authentication mechanisms.


Take over accounts and fraudulently transfer assets for monetary gain.

Symptoms: Other Names:

Account Takeover, Fake Account Creation, Credential Stuffing, Account Checking, Login Stuffing, Password List Attack, Stolen Credentials

5 minute video

Rising Threat from the Darknet

Credential Stuffing Attacks

A quick primer video on credential stuffing attacks and how adversaries use stolen usernames and passwords to hijack accounts

Assess your current automated threat level

Get Threat Assessment