What Is Credential Stuffing, and How Can MFA Help Prevent It?

Want more content?

By subscribing to our mailing list, you will be enrolled to receive our latest blogs, product updates, industry news, and more!

Quick Hits: 
  • Credential stuffing is a type of cyberattack in which hackers obtain stolen usernames, passwords, and email addresses from one business to illegally access user accounts from another business. 
  • This cyberattack method is one of the leading causes of data breaches because many people use the same username and password information on multiple online accounts. 
  • Businesses can help prevent these cyberattacks through various ways, from enabling MFA to using credential hashing. 
What Is Credential Stuffing? 

Credential stuffing is a cyberattack where cybercriminals use stolen usernames, passwords, and email addresses from one business (either from a breach or purchased for cheap on the dark web) to access user accounts at a different company. Hackers use the stolen data to insert it into numerous web application login forms automatically. The Verizon 2022 Data Breach Investigations report indicates that 65 percent of people reuse the same password credentials on multiple accounts, making this cyberattack one of the most common causes of data breaches.  

Once they access these accounts, hackers can obtain sensitive data, such as personally identifiable information (PII), credit card details, and other financial data. With this valuable information, cybercriminals can commit identity theft, credit card fraud, phishing, scams, or even account takeover (ATO) (especially if it involves valuable digital assets or high-status individuals).

How Is Credential Stuffing Different from Brute-force Attacks? 

Brute-force attacks occur when hackers execute significant computing resources to guess commonly used password combinations randomly. However, credential stuffing attempts to access accounts using real login credentials stolen from a data breach or bought on the dark web from past breaches. Stolen credentials are tried against hundreds of online services. Since many people reuse the same login credentials for different accounts, this cyberattack method has a greater chance of success than brute-force attacks. 

What Is a Credential Stuffing Attack? 

Credit stuffing attacks depend on the user authentication model, which allows anyone with login credentials to act as the authorized user of an account. There are two primary approaches to conducting this cyberattack – manual and automatic. The manual approach is where an individual enters the stolen login information on various online websites until they find a match. Since cybercriminals likely don’t have the time or energy for this long and tedious process, they use an automatic tool to do their dirty work.  

An automated botnet tool is designed to distribute the login requests to multiple IP addresses. Hackers can purchase these tools on the dark web for as little as a few hundred bucks and quickly launch attacks without expert technical skills. Cybercriminals provide a list of compromised login information to the botnet, which tries accessing accounts across multiple sites simultaneously. A large-scale credential stuffing attack can quickly devastate an organization’s internal systems, such as receiving 180 times their typical traffic rates during an attack.   

The botnet will monitor for successful login attempts. If the botnet gains access to user accounts, it will then be used to gather valuable data, such as PII and credit card details, from the compromised accounts. Further, these tools can store compromised account information for later use, which can be used to launch other cyberattacks or fraudulent card-not-present (CNP) purchases.



MFA and Credential Stuffing Prevention 

While it may seem daunting, there are steps merchants and users can take to help prevent credential-stuffing attacks. Check out these credential-stuffing solutions below. 


1. Implement Multi-factor Authentication (MFA) 

Rather than using a single password to access and secure an account, multi-factor authentication (MFA) requires one or more additional pieces of login information to access an account. Various types of data may be necessary. 


  • Biometric MFA – this is a new type of authentication that offers robust protection similar to one-time codes. This method is not mandatory because it only works with devices with biometric capabilities, such as fingerprint readers or facial recognition cameras. Also, there may be times when users need to access their account using a different device, making it inconvenient if biometrics were required to log in successfully. 
  • Knowledge-based MFA – a traditional biometric method in which users must complete a security question, such as the city they were born in or their favorite teacher’s name. This type is considered the easiest yet weakest authentication form because this personal information can be located online through social media or other public sources.  
  • Possession-based MFA – this authentication method requires users to have their device in their possession. After successfully entering their password, a user would receive a temporary, one-time code sent via text to their pre-registered mobile number. Once the code is received, they would enter it to finish the login process. This method offers strong security but can be inconvenient for users if they don’t have a specific device. 


2. Monitor for Leaked Credentials 

Service providers can use security solutions that automatically monitor users’ login information against vast databases of leaked credentials publicly available on the dark web. If stolen credentials are discovered that match users’ login information, these users can be immediately notified.  

Additionally, end users can enter their email addresses on HaveIBeenPwned.com to find out if any accounts associated with their email addresses have been compromised due to a security breach. If compromised accounts are found, users can quickly update their passwords that are the same or similar to the stolen credentials. Indeed, this can help prevent credential stuffing attacks. However, searching for leaked credentials is only effective if breached databases are published online. Service providers and users cannot quickly locate leaked credentials that weren’t published. 


3. Prevent Email Addresses As Usernames 

Since credential stuffing attacks depend on people reusing the same usernames, it can make hackers’ jobs easier if users use their email address as the username for several accounts. Businesses can prevent users from using an email address as their username, which can help decrease the likelihood of users using the same username and password combination on other websites.  


4. Prevent Headless Browsers 

Headless browsers like PhantomJS provide control of a web page but are executed via a command-line interface or network communication rather than an end user. Thus, these browsers generally imply suspicious online activity. Blocking access to these browsers can help prevent credential stuffing attacks.   


5. Restrict Authentication Requests  

Service providers can restrict the number of failed authentication requests that users can make. While providers can limit these requests by IP addresses, geographic location, device, or time frame, these aren’t effective against credential stuffing attacks executed across different IP addresses, places, and devices.  

Instead, businesses can use strict parameters to help secure user accounts. For example, a company may allow up to three failed login attempts before temporarily freezing an online account. The account owner would receive an email alert that mentions the failed login attempts. If the user is unaware of these authentication attempts, they can quickly update their login credentials, reducing the speed of this type of cyberattack. 



Businesses can use the Completely Automated Public Turing test, commonly known as CAPTCHA. This security method requires end users to perform specific actions to prove that they are humans, not computers. While this sounds silly, this solution can be helpful when combined with other security measures. It is important to note that skilled threat actors can bypass CAPTCHA via headless browsers and carry out cyberattacks. 


7. Use Credential Hashing 

Credential hashing scrambles a user’s password (plaintext) before storing it in a database. The goal is to prevent hackers from being able to steal this sensitive data if a breach occurs. It’s best to think of hashing as an insurance policy – it gives users time to update their passwords post-breach before their accounts are harmed. While hashing cannot prevent credential stuffing attacks, it can restrict what a cybercriminal can do with stolen passwords.


8. Use Unique Passwords 

With over half of online users reusing the same passwords for several accounts, it is understandable that credential stuffing continues to be a concern in today’s digital landscape. One easy solution to mitigate the risks and impact of credential stuffing attacks is to use unique passwords for every account. Of course, this is not feasible for most people since the average user has over one hundred online accounts. Two options to easily create and manage unique passwords are to use a password manager solution, such as LastPass, and a password generator to take the worry out of creating strong passwords that aren’t so easy to crack.  

What Else Can You Do to Protect Your Sensitive Data? 

At TokenEx, we understand the importance of protecting sensitive data, maintaining compliance, enabling critical business utility, and ensuring your customers that their personal information is in good hands. No matter what type of business you own, it‘s imperative that you have a reputable security partner that will help you achieve your security needs, so you can focus on growing your business. Our expert cloud-based tokenization platform is built to help protect what matters most to you. Tokenization replaces your sensitive data with unique, randomly generated numbers known as tokens. These tokens do not contain valuable information, which will be critical if your organization suffers from a breach. Contact our team today to find out how we can help your business establish a holistic security solution that provides the flexibility, customization, and data control you need to work with any third-party provider.