As human nature, we try to keep things as simple as we possibly can. Therefore it is not unusual for users to use the same email address, usernames, and the simplest and weakest password combinations across multiple sites. This practice makes the job of an attacker quite easy as they can use one piece of credential information to unlock numerous accounts.
Attackers will obtain stolen credentials from previous breaches that have been leaked. The stolen credentials can be found at the dark web, market places, and forums.
The strategy behind a credential stuffing attack is very straightforward. The attacker will take a list of email, username and password combinations and try to “stuff” those credentials into the login pages of other websites and services of interest. The list can range from hundred to one million usernames and passwords. The attacker(s) will launch a credential stuffing attack through the use of Botnets and the use of an automated script that cycles through the username and passwords obtained against multiple websites.
Due to the majority of reused and weak passwords, there is always a probability of a 1-2 percent success rate for account takeovers.
Attackers can look to monetize their credential stuffing attack once they have gained access to user accounts by stealing more personal data, gift card balances, credit card numbers, and more. The increased access to information makes the credential stuffing attack even more worthwhile.