Published: 18/11/2020

Bad Bots 101: Credential Stuffing

  • Netacea, Agentless Bot Management

3 minutes read

In our webinar Bad Bots 101: Credential Stuffing Action, we discuss why these attacks are so difficult for businesses to detect and stop. In today’s blog, we cover some of the salient points explored in the webinar by Netacea’s Head of eCommerce Tom Platt, including the common techniques used by sophisticated bad bots to evade traditional methods of detection.

What is bot traffic?

Bot traffic is described as any non-human traffic. Bot traffic is usually viewed as being negative, however not all bots are bad. There’s good bot traffic such as search engine bots and bad bots such as web scrapers and spam bots.

On average, 50% of web traffic is generated by bots, and 9 out of 10 login attempts are made by malicious bots. When bots are this prevalent, it is important for all businesses to fully understand what bot traffic is.

OWASP provides an industry guideline for bots. They categorise bots and different types of attacks, however there’s no framework on how to deal with bots. Without the right expertise at hand, it’s challenging for businesses to know how to tackle bots.

Credential stuffing in action

Credential stuffing is the testing of stolen usernames and passwords against website login forms. Usernames and passwords are breached on one website and validated on another. Once a match is found, the attacker can easily commit various types of fraud or sell the credentials for a profit.
Tom said:

“This attack exploits the tendency for consumers to reuse their passwords across multiple platforms.”

The attacker will test lots of credentials during this attack as they attempt to access new accounts using previously leaked credentials.


Credit card information can be used when credentials are stolen in a database breach.
In the attack depicted in fig. 1, there were 308k card validation attempts in​ 24-hour period.

In fig. 2,  a username and password combination attack, there were 27M login attempts made over a 67-hour sustained attack.


Hackers use tools to target a website and launch a credential stuffing attack using automation software. These tools aren’t hard to find and are usually free, which makes it simpler for malicious actors to gain unauthorised access to accounts.

Credential lists, or combo lists, have been published online holding massive amounts of breached customers’ usernames and passwords. The more people reuse the same passwords, the more rewarding it is to carry out a credential stuffing attack.

If we’ve piqued your interest, watch the webinar on-demand to see just how easy it is for attackers to access data dumps and carry out credential stuffing attacks.


Don’t reuse passwords​Credential stuffing attacks rely on people using the same password or similar passwords for multiple accounts. Password managers can help with this, so you no longer need to remember so many different passwords.

Change passwords periodically​

Regularly resetting passwords is an essential part of keeping your account safe. Along with using a different password for each account.

​If you’re concerned about credential stuffing attacks targeting your business, sign-up today for your bot audit and take your first step towards an effective bot management strategy​.

  • ​Attain complete visibility of bot traffic to your website, mobile app & APIs​
  • Understand the intent of your website traffic with a summary of bot vs. human traffic​
  • Get started with no implementation required

Schedule Your Demo

Tired of your website being exploited by malicious malware and bots?

We can help

Subscribe and stay updated

Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.


By registering, you confirm that you agree to Netacea's privacy policy.