Credential stuffing attacks and account takeover (ATO)

Data breaches have resulted in millions of online account credentials being available for criminals to use to take over user accounts.

What are credential stuffing attacks and account takeover?

Credential stuffing attacks occur when criminals obtain website customer credentials, such as a username and password, and use large-scale automated login request to gain unauthorized access to accounts. These attacks are common against gaming, retail, and financial services websites — or any website that has valuable personal information.

Attackers leverage large lists of credentials from data breaches and use these credentials on other websites, relying on the fact that most users have the same username and password across multiple websites. To make the process faster, attackers will use bots to test thousands of credentials to accomplish account takeover.

Credential stuffing is the threat to your business you can't afford to ignoreRelated Blog

LinkedIn lost 117 million emails and passwords

80 percent of hacking-related breaches still involve compromised or weak credentials

Sources: fortune.com, verizon.com


How credential stuffing and account takeover works

Attackers obtain stolen credential lists exposed in data breaches from sources like a marketplace on the dark web.

Attackers target customers using the same username and password across multiple sites using bots to try and log in with credential combinations from the stolen data.

When a login is successful, the attackers will take over the account and perform illicit activities, such as theft, fraud, or data exfiltration.

Get protected with


Credential stuffing attacks target accounts with the most financial value

Most credential stuffing and ATO attacks focus on websites where data or goods can be stolen and used for financial gain. Credential stuffing can also be used to break into online corporate application accounts for the purpose of data exfiltration. Recently, State Farm disclosed they had discovered a credential stuffing attack in July 2019 that affected approximately 100 million accounts.

State Farm attack highlights account takeover and credential stuffing risksRelated Blog

In order to combat credential stuffing attacks, many websites are implementing optional two-factor authentication. Unfortunately, users constantly resist the most secure access in favor of a more simple user experience, leaving millions of user accounts vulnerable.

The importance of leveraging endpoint data for bot mitigationRelated Blog

Compromised account data is a very real problem

8 billion user accounts have been compromised

770 million accounts being stolen is the largest breach on record

400+ websites have experienced data breaches to date

Sources: haveibeenpwned.com


Your customers need to be protected — from themselves

Regardless of the warnings, 51 percent of people still reuse passwords across web apps. And while data breaches keep happening, account takeover attacks will continue to be a successful vector to gain access to valuable data, virtual goods, and other items of criminal value.

Given the wealth of stolen data and automated tools available around the web, it is remarkably easy to perform an account takeover or credential stuffing attack. And the disturbing reality is that there is no way to predict an attack — the only defense is preemptive prevention.

Our solution

People reuse passwords, but that doesn’t mean your site has to be vulnerable

Credential stuffing attacks and ATO utilize sophisticated bots to automate login attempts. These bots are extremely difficult to detect as their behavior mimics regular user activity, often times clicking on multiple pages, moving down a page, and only then navigating to a login screen.

Instart offers industry-leading protection against bot activity with technology that collects signals across both the client and server to validate users and their browsers to ensure that the visitor is indeed human. Instart leverages its unique Nanovisor technology to protect against credential stuffing attacks, account takeover, inventory holding, and many other bot-based malicious activity.