Credential stuffing is a type of cyberattack where malicious actors use bots to test stolen username and password pairs at scale. Because people tend to reuse passwords across websites, the method enables hackers to identify valid login data. These credentials can then be monetized via resale or used for various types of fraud, e.g. using influencer accounts with good reputations to conduct crypto scams.
A successful credential stuffing attack can do significant financial and reputational damage to your business. And while traditional security tools like WAFs can mitigate unsophisticated attacks with relative efficiency, it’s a different story when bot operators are willing to spend big money.
In this article we will explore what it might look like when a motivated attacker goes after your user accounts.
A Heavily Distributed Credential Stuffing Attack
The threat research team at DataDome, a cybersecurity company specializing in bot protection, recently observed an edifying attack on the login endpoint of a popular video gaming platform. The attackers didn’t spare their efforts:
- The attack lasted for ~4 days
- The attackers made nearly 108 million malicious login attempts
- They leveraged more than 91 million different IP addresses located all over the world
- Each IP address made only 1.18 login attempts on average—very hard to detect
Graph one shows the timeline of the attack. The green line shows human login attempts over time, while the blue line shows the malicious login attempts conducted by bots.
We can observe five major spikes of malicious traffic, including two spikes where the attacker made more than four million malicious login attempts per hour for several hours.
No tags.
