Credential Stuffing Prevention: A complete checklist for 2023

July 28, 2021
July 28, 2021
Credential stuffing prevention

Learn more about Fingerprint

  • Streamline user experiences for trusted traffic
  • The highest accuracy device identification for mobile and web
  • Improve visitor analytics on mobile and web
Talk to our Team

Credential stuffing prevention is one of the most effective cybersecurity defenses a website or organization can implement today. Securing and protecting your users' data with account takeover prevention methods can go a long way toward stopping costly and embarrassing breaches.

Credential stuffing attacks are among the most common causes of data breaches. This technique is made possible because around 65% of people reuse passwords on multiple accounts, meaning that once account cracking hackers have that information, re-use it is simple. A data breach in the United States costs $9.44 million, nearly double the global average.

The scale of credential stuffing attacks is only increasing globally. A 2020 study by Risk Based Security found that the number of reported data breaches more than halved compared to the same period 12 months prior. However, more than 27 billion records were compromised in six months - nearly double what was leaked in 2019. Okta reported that over 10 billion credential stuffing log-in attempts were recorded at the beginning of 2022, which is 34% of all login attempts.

What is credential stuffing?

Credential stuffing is the automated use of usernames and passwords obtained through hacking. These hacks can be coordinated by the party carrying out the credential stuffing attack, or hackers can purchase pre-obtained logins from the dark web.

Automation bots rapidly enter stolen login details across a network of websites. While they're only successful around 0.1 - 0.2% of the time, the result can mean private information and credit card details can be easily obtained.

Credential stuffing attacks are popular because they can sweep a wide range of sites much faster than if the information was entered manually. Not only that, but bots can distribute their requests from different IP addresses, making it nearly impossible to track where the attacks are coming from.

Famous credential stuffing attacks

Even if you haven't heard the term credential stuffing attack before, there's a good chance you may have heard of one being carried out:

  • In 2019, Dunkin' was the victim of two credential stuffing attacks that compromised the account details of its more than 10 million DD Perks members.
  • In 2020, around 500,000 usernames and passwords were stolen from Zoom, published on the dark web, and made available for purchase.
  • In 2022, The North Face, an outdoor apparel company, fell victim to a credential stuffing attack resulting in an information leak of nearly 200,000 users. This included the users' full name, telephone number, gender, account creation date, purchase history, billing and shipping addresses, and loyalty points.
  • You can read about recent data breaches in our blog, 2022 Fraud in the News.

While the information you have on your Dunkin' Donuts account may seem insignificant, using the same password for your online bank account can become a much larger (and more expensive) problem.

Checklist for credential stuffing prevention

So what can you do to protect against credential stuffing? Credential stuffing prevention requires more than a username and password to access your accounts.

It may require extra effort, but the payoff can be protecting your personal information and widespread access to other accounts.

Here are the six most effective techniques to protect yourself from credential stuffing attacks.

Multi-factor Authentication

Multi-factor authentication (or MFA) is a backup to entering your username and password. It often comes in a separate app such as Duo or JumpCloud.

When you log in to your account, your MFA account will push a notification to a pre-arranged device, such as your mobile phone, to check that you are attempting to get in. You can accept and get access if it is, but your account will be protected if anyone else is trying to break in.

MFA is easy to set up, and many websites are starting to incorporate their versions as a standard part of the login process.

Passwords and security questions

Like MFA, having passwords and security questions is just another layer of protection beyond your login information.

The security questions must be answered correctly for someone to get into your account. These questions can ask for the name of your first pet, the last four digits of your childhood telephone number, or your mother's maiden name.

The best security questions are simple enough for the user, but the answers are hard to guess and not available elsewhere on the internet. For example, attack bots may be able to trawl social media to find out your favorite movie or guess what your favorite color is. However, it's likely to be challenging to figure out the name of the street you grew up on.


Captcha is an anagram for a Completely Automated Public Turing test to tell Computers and Humans Apart. They're becoming increasingly popular, and you likely will have seen one before.

It can come in a picture grid, where you must identify pictures containing certain elements, such as a person or a car. It can also involve identifying a random sequence of numbers and letters.

A captcha generator is effective because it randomizes a correct response that an automated attack bot can't guess. Users can't set up their captcha; however, it's integrated into the host website's login process.

IP Blocking

IP blocking is another security measure that denies users from connecting to a web host. Website hosts can turn off access to users based in a specific region, rendering them unable to even get onto the site.

Blocking IP addresses is particularly effective when you can identify suspect IP addresses repeatedly attempting to access your accounts. However, it doesn't work well when those IP addresses are randomized or changed.

There are a few different ways to block IP addresses, but often it's best done through a specific security program such as Kinsta.

Device fingerprinting

Device fingerprinting uses the combination of your activity on one device to confirm your identity. Also known as browser fingerprinting, it's a tracking technique based on your browser and device settings, such as screen resolution, location, language, and operating system.

This information comes together to make up your device's fingerprint. It can also be used as a substitute for cookie data to allow advertisers to trace website activity and target ads to specific types of users.

Cookie data has become increasingly ineffective, meaning your activity on a specific device can now be monitored for whatever purposes the tracker has in mind. That may be as simple as tracking your activity for advertising, but the reasons could also be more nefarious.

In-depth credential stuffing prevention techniques

You can take several more elaborate protection measures to protect your account information and online activity.

  • Multi-step logins. A multi-step login process is similar to MFA, where users must provide two or more forms of identification. This comes in the form of answering questions. It's different from MFA because it doesn't require you to have another device to verify your identity.
  • Block headless browsers. Headless mode is popular among software developers because it allows them to run automated tests. However, it's also popular among hackers because it can aid the running of automated attack bots. Users can block headless browsers in their browser settings, though advanced hackers can still find ways around this.
  • Identify leaked passwords. It's easy to check to see if the password to an email address has been compromised. Encourage your customers and staff to check theirs through a site like Avast Hack Check, which has detected more than 5 billion stolen passwords. If you hear of multiple customers having their details stolen, your database is the source of the leak.
  • Security notifications. Cybersecurity apps such as Dashlane now allow users to receive custom notifications when any account is compromised. You can create your customer account with your business, set up a security notification on that account, and ensure you know as soon as anything goes wrong.


Credential stuffing prevention is straightforward, and when cybersecurity risks are only increasing, businesses need to be able to secure customer data. The embarrassment of being the source of a data leak is lasting and can seriously blow any business.

Cybersecurity and protecting data online is a responsibility website and businesses have for their account holders and individuals.

A proactive approach to credential stuffing prevention can be the difference between a straightforward online experience and constantly dealing with data breaches, notifying customers, and risking losing your business permanently.

To learn more about how Fingerprint can help protect your business from credential stuffing, visit our website and sign up for a free demo today.