What does Credential Stuffing mean?

05 August 2019

Credential stuffing refers to the practice of hackers entering stolen credentials into the login pages of multiple digital services to see if they can gain unauthorised access to the accounts.

These legitimate details are usually purchased on the dark web from collections accrued during major data breaches and phishing attacks.

This type of cyber-attack relies heavily on people reusing passwords or only slightly varying them across a range of channels, regardless of account importance. To a website, these attacks appear to be the same as any other login attempt and therefore often go undetected.

The automated tools disguise hackers by making login requests appear to be from multiple devices and IP addresses to bypass standard security controls. More advanced tools can even defeat captcha and multifactor authentication.

With a very low success rate and the issue of how to monetise their findings, hackers must be prepared to play the long game for a significant pay day.

Credential theft can result in multiple benefits for hackers including: financial gain, free goods/services, competitor insight, a new identity, and the data needed to facilitate other cyber attacks.

For the victim, however, a credential stuffing attack could negatively impact their finances, reputation, and customers’ loyalty.

Why Does It Matter?

A series of high profile data breaches over the last few years have made available for free a wealth of credentials on the dark web for malicious actors to exploit.

These well-known collections of varying black market value plus the advancement of automation tools, have sparked an upward trend of credential stuffing attacks across all industries.

Hackers are particularly fond of the following industries for their lax security, valuable data, or the social benefits they offer: retail/e-commerce, gaming, health care, higher education, financial institutions, SMEs, video streaming services, and social media.

Cybe Decoder Survey banner

The issue for companies is figuring out the delicate balance between protecting their digital services from attackers without restricting access for legitimate users and impacting the customer experience.

The first line of defence is therefore user education around regularly creating strong and unique passwords for every digital account.

While a company is in control of its own password policy, the issue of reuse is nearly impossible to enforce.

Companies should consider the benefit of making password manager tools available to employees to reduce their overall risk. Other methods of protection businesses can employ include:

  • Blacklisting offending IP addresses.
  • Regularly checking compromised credentials and prompting password changes where necessary.
  • Establishing geofences to block traffic from outside specific consumer regions.
  • Enabling multifactor authentication and captcha.
  • Rate limiting to lock users out after a set number of login attempts.
  • Regularly patching and updating threat prevention and detection software.
  • Sending emails for successful or failed login attempts.
  • Avoiding public Wi-Fi, where possible, or using VPNs for extra protection.




  • Sarah StephensSarah Stephens

    As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

    Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

    Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

    For further information or to learn more about cyber insurance, contact Sarah Stephens, Head of Cyber, on +44 (0)20 8108 9541.

  • For more articles like this, download our Cyber Decoder

    Share this article

  • Get everything you need, delivered straight to your inbox.

    Sign up to receive our latest news and insights here.


Services provided in the United Kingdom by Marsh JLT Specialty, a trading name of Marsh Ltd and JLT Specialty Limited (together “MMC”). Marsh Ltd is authorised and regulated by the Financial Conduct Authority for General Insurance Distribution and Credit Broking (Firm Reference No. 307511). JLT Specialty Ltd is a Lloyd’s Broker, authorised and regulated by the Financial Conduct Authority for General Insurance Distribution and Credit Broking (Firm Reference No. 310428).

This is not legal advice and is intended only to highlight general issues relating to its subject matter. Whilst every effort has been made to ensure the accuracy of the content of this document, no MMC entity accepts any responsibility for any error, or omission or deficiency. The information contained within this document may not be reproduced. If you are interested in utilising the services of MMC you may be required by/under your local regulatory regime to utilise the services of a local insurance intermediary in your territory to export insurance and (re)insurance to us unless you have an exemption and should take advice in this regard.