AKA Account Takeover, Credential Testing, Account Hijacking, Password Checking, Password List Attack
Shape finds compromised credentials in real-time, identifies botnets, and blocks simulation software.
On average, one million usernames and passwords are reported spilled or stolen every day. Attackers acquire credentials in many ways, from discovering misconfigured databases to infecting users’ devices with malware.
According to Shape analysis, 0.5%-2% of any breached credential list will be valid on a targeted website or mobile app.
Attackers route their login requests through proxy servers to avoid IP blacklists and other forms of detection. Criminals can purchase access to proxy services from bot herders on dark web forums for $2-$8 per hour.
Across Shape’s customer network, an IP address is typically used just two times per credential stuffing attack.
Finally, attackers use bots, or computer programs, to automatically test the list of breached credentials. Attackers often purchase toolkits on the dark web, such as CAPTCHA solvers or anti-fingerprinting scripts, to help counteract existing defenses.
Credential Stuffing using Python & Selenium
VP of Shape Intelligence demonstrates techniques attackers leverage to imitate users.