Published: 01/07/2020

Uncovering Bots in eCommerce: The Impact of Credential Stuffing

  • Netacea, Agentless Bot Management

2 minutes read

What is credential stuffing?

Credential stuffing is one of the most common forms of online crime, it is the act of testing stolen passwords and usernames against website login forms, to validate the credentials for malicious reuse. Once a match is found, the attacker can easily commit various types of fraud.

When credentials are stolen through a database breach, malware, or other means, they are kept for use in future attacks against many different targets. Many of these lists are shared privately amongst attackers or become publicly available.

Scott said: “Attackers are innovative, they are always thinking of new ways they can monetise breached accounts.”

There are several common signs that bot activity has occurred, such as the number of login attempts and failures from unusual locations, uncommon traffic patterns and speed.

What fuels credential stuffing?

Credential stuffing is an ever-growing problem, in the UK alone 53% of all fraud committed is online. These types of attacks are becoming ever cheaper to conduct.

Bot tooling and automation software can be free to use, making it easier for automated credential stuffing attacks. In some cases, attackers can gain something for nothing. Scott said: “You could potentially stage a credential stuffing attack for free.”

Whilst credential stuffing has likely been around for quite some time, large collections of credentials have been made public over the last few years, make it easier for attackers to start partaking in credential stuffing for minimal effort.

How does credential stuffing affect eCommerce?

Credential stuffing is easy to perform, so its popularity with cybercriminals will continue to increase with time

We know that cybercriminals take over accounts and perpetrate a fraud on eCommerce companies and their customers. When a business suffers from stolen credentials, it can cost them severely, with attackers able to make illegal purchases, claim existing rewards or loyalty points and acquire personally identifiable information (PII).

It is vital that credential stuffing attacks are stopped to protect eCommerce websites from fines and chargebacks while securing customers against the threat of data breaches.

If you missed our live webinar, you can still watch it on-demand: Uncovering bots in eCommerce.

Schedule Your Demo

Tired of your website being exploited by malicious malware and bots?

We can help

Subscribe and stay updated

Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.


By registering, you confirm that you agree to Netacea's privacy policy.