Credential Stuffing


Credential Stuffing is the process of using automated systems to Brute-Force a website with credentials from another site, hoping it will match with an existing credential.

Many credentials are publicly available; cost varies depending on their age.[1]

For example, Digital Shadows reports the LinkedIn database cost $2,280 in April 2016: now, you can buy it for a mere $4. One of the most thorough packages costs $2,999 for a total of 3,825,302,948 credentials collected from 1,074 databases.

Attackers use a few different tools to launch Credential Stuffing attacks, but the main ones are SentryMBA, Vertex Cracker, and Account Hitman.

"There are different motivations, but making money is an obvious one, People also use account takeover to find out more information about users. If you want to tailor an attack more, you can log on to different accounts."

More Information#

There might be more information for this subject on one of the following: