Bot Based Credential Stuffing

Firstly let me explain what Credential Stuffing is all about.

You will have heard of a large number of data breaches in the press where millions of user names and passwords are disclosed during the hack and posted on the dark web. Often you find people re-use passwords across various websites and services. So, if they get your Linked-In account details, the hackers may be able to re-use them on other websites and get access there. Also, knowing that passwords are re-used, cyber-criminals will try all the known and disclosed passwords, as well as established patterns such as dictionary attacks, to see which works. This is called Credential Stuffing.

The general image is that there is a hacker trying multiple passwords manually and hoping one will get them access. Anything that can be done manually can be automated. This is where what we call ‘Bots’ come in. These are effectively robotic programs that read a list of credentials and just automatically try them on a wide array of websites. Once the bot gets access it records it and then a hacker, or another bot, can proceed to login to the website and perform mischief like draining your bank account, or buying products on an online retailer in your name.

Between May 1 and December 31, 2018, there were 10,000,585,772 credential stuffing attempts in the retail industry detected on Akamai’s network. When that’s expanded to all other customer industries, Akamai detected 27,985,920,324 credential abuse attempts over eight months. That works out to more than 115 million attempts to compromise or log in to user accounts every day.

Bots can represent up to 60% of overall web traffic, but less than half of them are actually declared as bots, making tracking and blocking difficult. This dilemma is compounded by the fact that not all bots are malicious.

What can you do to combat this?

The downside is that you cannot stop Bots from doing this. The general advice is to not re-use your passwords and user names across multiple websites. I have a blog post on Password usage, which I advise you read for more information.

There is an extensive research paper that is available here if you want the full technical detail. It also publishes some useful statistics from which the shaded boxes above are taken.

Headline image provided by ShutterStock

Comments are closed.

Create a website or blog at

Up ↑

%d bloggers like this: