What Is Credential Stuffing
Credential stuffing is an attack technique that involves automatically testing large sets of stolen login-password pairs against login pages of various services. Attackers assume (correctly) that many users reuse the same passwords across different services.
In the context of e-commerce, this is particularly dangerous because a compromised customer account provides access to:
- Saved payment methods and card data
- Order history and personal information
- Loyalty points and vouchers
- The ability to place orders at the victim’s expense
The scale of the problem is enormous — in 2025, over 193 billion credential stuffing attempts were recorded globally, with 40% targeting e-commerce platforms. The success rate is 0.1-2%, which with millions of attempts means thousands of compromised accounts.
How a Credential Stuffing Attack on an Online Store Works
Step 1: Acquiring Databases The attacker purchases stolen login and password databases on the dark web. The average price is $1-50 per million records. Sources include breaches from other services — LinkedIn, Adobe, Yahoo, and thousands of smaller platforms.
Step 2: Infrastructure Preparation The attacker configures a network of bots distributed across thousands of IP addresses (often using residential proxy networks). The bots simulate real browser behavior to bypass simple protections.
Step 3: Automated Testing Tools like SentryMBA, OpenBullet, or custom scripts test thousands of login-password combinations per minute. Each request looks like a normal login attempt.
Step 4: Exploitation Successful logins are collected and sold as “verified accounts.” The price for an e-commerce account with a saved card is $5-100 on the dark web.
Why Traditional Protections Are Not Enough
Credential stuffing bypasses many standard defenses:
- Per-IP login attempt limits — bots use thousands of IP addresses (residential proxies)
- CAPTCHA — CAPTCHA-solving services cost $1-3 per 1,000 solutions
- Geolocation blocking — residential proxies have IPs from the same country as customers
- Speed monitoring — bots are configured with random delays between requests
The core problem is that each individual request looks like a legitimate login attempt. There is no malicious payload, no exploit — it is simply entering a valid login and password.
Effective Protection Methods Against Credential Stuffing
Protection requires a multi-layered approach:
Multi-Factor Authentication (MFA) Multi-factor authentication is the most effective defense — even if the attacker has a valid password, they cannot log in without the second factor. The challenge: how to implement MFA in a store without degrading conversion? The solution is risk-based MFA — requiring the second factor only for suspicious logins.
Bot Detection Advanced solutions analyze behavioral fingerprinting: mouse movements, typing patterns, time between actions. A bot, even on a residential proxy, has a different behavioral profile than a human.
Breach Monitoring Integration with breach monitoring services (Have I Been Pwned API) allows proactively forcing password changes for customers whose data appears in a new breach.
WAF with Anti-Bot Rules A Web Application Firewall with an anti-bot module analyzes traffic patterns and blocks suspicious sessions before they reach the login page.
Rate Limiting and Throttling Advanced rate limiting that considers not just IP, but also device fingerprint, ASN, and behavioral patterns.
Business Impact of Credential Stuffing on E-commerce
The consequences of a successful credential stuffing attack extend far beyond compromised accounts:
Financial losses:
- Chargebacks from unauthorized transactions ($15-25 per chargeback + order value)
- Customer support costs (account recovery, explanations)
- Loss of loyalty points and vouchers
Loss of trust:
- Customers whose accounts were compromised rarely return to the store
- Negative reviews and social media attention
- Brand reputation damage
Legal consequences:
- GDPR violations — fines up to 4% of annual turnover
- PCI DSS violations if card data was compromised
- Class action lawsuits from affected customers
Infrastructure costs:
- Credential stuffing generates massive traffic — up to 90% of login attempts may come from bots, overloading servers and increasing infrastructure costs.
How nFlo Helps Protect E-commerce Against Credential Stuffing
Our Security Operations Center services include 24/7 login attempt monitoring with anomaly detection. As part of penetration testing, we verify platform resilience against credential stuffing, testing WAF configuration, rate limiting, and bot detection mechanisms.
We recommend starting with a security audit of the e-commerce platform, which will identify gaps in login and authentication security. Based on the results, we prepare a security implementation roadmap, prioritized by risk and budget.
Cybersecurity for Your Industry
Learn more about cybersecurity in your industry:
