Angriffstechniken Glossary
Credential Stuffing
Credential stuffing is an automated attack in which attackers try stolen username-password combinations obtained from data breaches on other services—exploiting the habit of reusing the same password across multiple accounts.
Credential stuffing exploits a simple human error: the reuse of passwords. If a data breach at Service A reveals the combination nutzer@firma.de : Password123, attackers automatically try this combination on hundreds of other services (email, banking, Office 365, VPN).
Difference from Brute Force
| Credential Stuffing | Brute Force | |
|---|---|---|
| Input Data | Real stolen credentials | Randomly generated combinations |
| Success Rate | 0.1–2% | <0.001% |
| Detection | More difficult (real credentials) | Easier (many failed attempts) |
Scope of the Problem
According to Troy Hunt’s HaveIBeenPwned database, over 14 billion unique credential pairs are in circulation. Specialized underground marketplaces sell up-to-date combilists for just a few dollars.
Protective Measures
For Users:
- Unique password for every service (password manager!)
- Enable MFA – credential stuffing fails due to a second factor
For businesses:
- Require MFA for all employee accounts
- Monitor for unusual login patterns (multiple logins from new IPs, rate limiting)
- Use the HIBP Enterprise API to regularly check for compromised corporate email accounts
- Password blacklists: Block known stolen passwords during setup
