How does credential stuffing work?
A credential stuffing attack involves fraudulently obtaining valid account credentials (e.g., pairs of usernames/email addresses and passwords) obtained from compromised accounts on third-party services and “stuffing” these into the account log-in sections of online sites until correct matches are found. The attacks are relatively straightforward to launch via automated software (e.g., account checker apps), which can attempt to access large numbers of accounts at great speed.
Why are credential stuffing attacks carried out?
The primary motivation for this type of cyberattack is financial gain; however, attackers may also seek to cause more intangible harm to the account holder. Such harm may include leaking sensitive personal information, causing reputational damage or infiltrating business accounts.
Such attacks exploit both vulnerabilities in human nature around security (for example the fact that individuals still regularly use the same username and password for different accounts) and technical failings, which can result in security incidents leaking credentials for purchase or general use by attackers.