Credential Stuffing & Threat Intelligence: Understanding The Connection

Corporate SecurityInformation Protection

What is a Credential Stuffing Attack?

A Credential Stuffing Attack is a cyberattack where a hacker accesses the personal identifiable information (PII) of users, such as usernames and passwords, and then attempts to access other systems with those credentials. The ideology around credential stuffing is that users will use the same password and user ID across multiple platforms. With the technology landscape advancing on almost a daily basis, these attacks are continuously becoming more sophisticated – making detection, investigation, and credential stuffing mitigation difficult.  

The Process

As hackers become increasingly seasoned, their methods are getting more challenging to detect and mitigate. Even inexperienced hackers are able to incorporate low priced third-party software to assist them in their hack. According to Figure 1, the method of credential stuffing depends highly on the attacker’s skill level.

Method of credential stuffing depends on an attacker's skill level


Figure 1: The method of credential stuffing depends on the attacker’s skill level.  Source: Shape Security

Advanced Hackers

Experienced hackers generally write custom scripts to make the attack more difficult to detect. As shown in Figure 1, advanced attackers will incorporate a testing step into their hack. This involves testing their software to see if the hack will yield successful credentials. From here, they will determine if their script needs to be changed.

Script Kiddie

This level of hacking differs from advanced hackers only in the development stage. Instead of developing and customizing a script on their own, they will leverage “bruters”, a software that will perform the credential stuffing attack or “checkers”, which can be added to the end of a script automatically.

Fraudster N00bs

Hackers that are newer to the game will generally use account checker services to carry out their credential stuffing attacks. An account checker service will use software to test a list of credentials so the hacker is only left with validated usernames and passwords, charged at a rate of approximately 2 cents per successful credential.

While one might think these services are found hidden in the Dark Web, this type of software can generally be found on the Surface Web by simply searching “target company” and “account checker”.

Take Over Accounts

After the attack has been completed, the hacker has now taken over the accounts. While each breach is unique in their own ways, hackers will generally steal the stored information or abuse the credit card information, leverage the information to commit another type of fraud, such as applying for credit cards in the victims’ names and then sell the list of credentials.

No Immunity

According to a report from Shape Security, there were 51 reported credential stuffing attacks in 2017 with more than 2.3 billion credentials spilled. With the advanced capabilities of hackers, it is no longer a matter of if your company will get hacked, but rather when. 


Yahoo notoriously fell victim to not one but two data breaches that accessed usernames, passwords, phone numbers, and other PII. The first breach occurred in 2013 affecting 3 billion accounts and the second happened in 2014 affecting 500 million accounts. Both attacks were not disclosed until 2016 and the final numbers of accounts affected were not released until 2017. 

The effects of the two Yahoo credential stuffing attacks go far beyond the $50 million settlement they were required to pay in 2018. Not only was Yahoo responsible for paying for two years of credit-monitoring and identity theft protection insurance for 200 million people, but they also offered a 25% refund to Premium Yahoo account holders and accrued $35 million in lawyer fees. 

In the midst of Yahoo disclosing it had discovered two data breaches, Verizon was planning to acquire Yahoo’s core internet business. After learning of these breaches, Verizon requested a billion-dollar discount on their deal and the two companies came to an agreement that it would be $350 million less than the original offer of $4.8 billion. 

Moral of the story – the Yahoo data breaches had a detrimental effect on their customers and brand reputation, vendors and acquisitions, and monetary resources.

State Farm

Another more recent credential stuffing attack involved well-known property and casualty insurance company, State Farm. The breach was discovered on July 6th, 2019 but the number of accounts accessed has yet to be released.

In the case of State Farm, the list of user IDs and passwords were obtained from an external source, most likely the Dark Web. As we are waiting for the rest of the repercussions of the attack to unfold, it goes to show how the effects of breaches do not stop after detection. In order to mitigate the effects of a data breach, companies should be equipped with the tools to monitor brand reputation, customer satisfaction and other threats that arise from a credential stuffing attack.

How Threat Intelligence Can Help

In 2017, the average time for a credential stuffing attack to be discovered and reported was 15 months. The longer the credential abuse continues, the longer the bad actor has to gather credentials, filter out the successful credentials, abuse the information, and sell the data.

Relying on your customers to correctly manage their passwords without any corporate security measures in place is a high-risk practice. It is integral that you equip your security team with the proper tools for better detection and credential stuffing mitigation. 

Advanced Filters

Having access to a large amount of data is important, but understanding how to properly filter the data can make or break your investigation. There is a difference between threat data and threat intelligence, and proper filtering techniques can help distinguish between the two. With advanced filtering tools, users are able to distill information down to only be notified of relevant risks. 

Media Sonar provides advanced search filtering capabilities and streamlined workflows to allow security teams to perform their investigations in 75% less time. Not only will you gain access to the Surface, Deep and Dark Web but also be given these filtering options to be directed to relevant risks for more efficient detection and mitigation. 

Dark Web Threat Intelligence

In order to thrive in the hacking space, advanced hackers must rely on their positive reputation.

Inexperienced hackers will often hire credential stuffing experts to write their scripts. Where do these people go to find these experts? Forums and Dark Web Marketplaces. This provides investigators with the opportunity to proactively search these online environments to detect mentions of your corporation in tandem with data breach intentions. On the reactive side, searching the Dark Web can be used to detect the sale of stolen credentials after a breach has occurred.

Media Sonar allows users to safely and anonymously search the Dark Web to ensure they are being directed to the correct information, without the associated risks of being on the Dark Web. 

To learn more about how Dark Web Markets affect corporate security, download Impact of Dark Web Markets whitepaper.

Media Sonar's threat intelligence platform discovering hackers advertising hacking and credentials stuffing attacks.

Figure 2: Media Sonar’s Dark Web module uncovering hacking services offered online.

Brand Reputation

Once the world catches wind of a company falling victim to a data breach, their brand reputation will immediately suffer. Consumers are becoming more and more concerned with security measures that companies take and often incorporate that into their purchasing decision. In fact, a study from the Capgemini Group found that 77% of consumers believe that cybersecurity and data privacy is the third most important factor when selecting a retailer, even outranking discounts and low prices. 

With Media Sonar, companies can monitor online sentiment and mentions of their brand to manage their brand reputation. Having access to over 100,000 sources paired with advanced filtering options will allow your security team to monitor discussions and get on top of negative sentiment in a fraction of the time. 

Get free access to “How to Use OSINT to Protect Your Brand & Mitigate Damage” to identify primary OSINT sources & how you can use open source intelligence for brand protection and cybercrime investigation.

See Media Sonar in Action

Harness the unique insights only available from Web Intelligence & Investigation to better protect your corporate brand and assets.
Previous Post
Shutting Down 8chan
Next Post
Threat Intelligence Tools: The Missing Piece to Third-Party Vendor Security

Become a Media Sonar Insider

Become a Media Sonar Insider

Please fill in a few details & we'll add you to our communications list.

Looking For More Content?