Credential Stuffing Attacks: What They Are and How to Protect Yourself

a hacker wearing a hoodie running a credential stuffing attack
While we often see warnings about password best practices (different passwords for different services, change passwords frequently, 123456 is never a good password), we rarely get into why we need to do these things. Incremental security comes at a cost: usually convenience. Every individual must decide her personal tradeoffs. Today, we want to share one of the ways malicious actors try to take advantage of online services and poorly-crafted passwords: credential stuffing attacks.

What is a Credential Stuffing Attack?

A credential stuffing attack occurs when an attacker takes a set of stolen user credentials and automates the entry of those credentials into popular websites. Let’s unpack that:

A user name and password combination used for logging in to service x.
Breached credentials
A list of user name/password combinations that have become public in some form. As an example, an enterprising cybercriminal exploits credentials from Adobe, Coachella, Dropbox, LinkedIn, Ticketfly, Yahoo and other sites that have leaked personal information for over 500 million accounts.
Automated entry
The cybercriminal will go to the login page on service x and systematically cycle through each user name and password combination hoping to get lucky enough to find a match. Some will even go further by using one email address and cycling through all the passwords in the database — the logic being that users tend to come up with similar passwords, such as 123456 or Pa$$word$.

What is Backblaze Doing to Defend Against Credential Stuffing Attacks?

Every service of scale, including Backblaze, has defense mechanisms to inhibit this sort of activity. For instance, when you see “too many attempts, try again later,” on a popular site, what is likely happening behind the scenes is something called rate limiting. This is when a web page has a rule akin to: if there are x number of login attempts in y seconds, it’s probably a robot; we should cut them off.

The problem is balancing security with the user experience. If we limited every account to two login attempts per hour, that would hamstring the efforts of any automated attack. However, it would also impede the efforts of legitimate users who made a simple typo when they were entering their password.

Revealing our exact rate limiting policies would pose a security risk to our users, allowing the attackers to fine-tune an attack. That said, we do have rate limiting, we do constantly monitor our systems, and we also have algorithms and humans that will adjust our rate limiting depending on a number of environmental variables that our security team monitors.

The Three Steps We Tell Everyone In Our Family to Take

With the large number of data breaches over the past few years, it’s more likely than not that you’ve been exposed. If you’ve been using the same email and password combination for three years and have a Comcast account that old, you could be exposed. It’s the same story for Ticketfly accounts older than May of 2018. We mention these not to single out any particular service, but to point out how prevalent these things are.

However, if you have different passwords for every website, you effectively protect yourself from being hacked as a result of leaks like these. While that might be true, trying to remember and manage all those different combinations is cumbersome.

How to Fight Back Against Credential Stuffing

Protecting yourself from credential stuffing attacks can be as simple as adopting the following three tactics:

1 — Monitor Your Email Addresses

Troy Hunt runs a phenomenal service called He tracks major breaches and will let you know if your credentials were included in them. It’s free, although you can donate to the service. Signing up is one of the easiest ways to take control of your own security.

2 — Use Two Factor Verification

2FV, as it’s commonly called, is when you are asked for an incremental authentication — usually numbers generated by a dedicated app (including a password manager) — after you enter your password. Backblaze offers it as a complimentary service as do many other service providers. 2FV is a good defense mechanism against credential stuffing.

3 — Use a Password Manager

We highly recommend using a password manager such as Bitwarden, LastPass, or 1Password. Those services can help create new account credentials for every website you frequent, and help you manage those credentials when you visit those sites. Many people at Backblaze use these services and are quite happy with them.

One of the advantages of password managers is that they let you create passwords you can’t possibly remember. You just need to remember the master password to your password manager; they do the rest. That means you can set complicated passwords to any service. Each of the password managers integrate well into all major browsers and into Android and iOS devices. Not only will a password manager make your life secure, it makes your login experience much faster.

The Best Protection Against Credential Stuffing Is…

Of course, the best protection in the world is never being exposed in the first place. We encourage everyone to do business with vendors that can articulate how they protect their customers and have a sustained investment in doing so. At Backblaze, we’ve outlined our approach to security on our website.

All that said, the reality is we’ve all created accounts with service providers that may not have the best security practices. Even still, any website with the best intentions can still be felled by a skilled attacker, which is why the the need to protect ourselves and use credential best practices is very real. We hope, and strongly recommend, that everyone follow the three steps mentioned here.

If you have other other tips for the community, please feel free to share in the comments below!


About Ahin Thomas

Ahin enjoys writing in the third person, cookies (digital or baked), and is listening to the Matt Nathanson "Live in Paradise" album.