The US Federal Bureau of Investigation (FBI) is warning organizations in the financial sector about an increase in botnet-launched credential stuffing attacks.  Many of these attacks, which target APIs, are being fed by billions of stolen credentials leaked over the last several years. 


Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.  Unlike credential cracking, credential stuffing attacks do not attempt to brute force or guess any passwords.  The attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools like Selenium, cURL, PhantomJS, or tools designed specifically for these types of attacks such as Sentry MBA, SNIPR, STORM, Blackbullet, and Openbullet.

The FBI says 41 percent of all financial sector attacks between 2017 and 2020 were due to credential stuffing, resulting in the theft of millions of dollars.  The FBI Private Industry Notification says greater use of botnets enables cybercriminals and fraudsters to quickly hit many targets in search of finding credentials that work.    “Although most credential stuffing attacks have low success rates, cyber actors' use of botnets to conduct a massive scale of automated login attempts in a short timeframe enabled them to discover multiple valid credential pairs," according to the FBI bulletin, which has been published online.[1]

In July 2020, security firm Digital Shadows reported that about 5 billion unique user credentials were circulating on darknet forums.  The reuse of passwords and the lack of multifactor authentication (MFA) pave the way for credential stuffing attacks.  “Credential stuffing has become quite easy to perform and many financial institutions are losing small amounts across a broad base of customers," says Chris Pierson, CEO, and founder of security firm BlackCloak.  Many bank customers simply ignore the advice to adopt MFA, leaving their accounts, and the banks open to attack.

A study published in June 2020 by researchers at Carnegie Mellon University found that even after being notified that their data has been compromised in a breach, only about a third of users change their passwords.  "BlackCloak's cyber analysts ... have found that 68 percent of all corporate executives it protects were using the same passwords, keeping passwords in little notebooks or on their phones/computers insecurely, and not informed on which passwords were compromised," Pierson says.

Brandon Hoffman, CISO at the cybersecurity firm Netenrich, says the easiest way to stop brute force attacks is by "placing controls in the application or network layer to detect them and block them.  Usually, this comes in the form of a web application firewall, but it can also be as simple as limiting login attempts."

In the majority of credential stuffing attack, cybercriminals or fraudsters obtain usernames and passwords that have been compromised through earlier breaches and then use botnets to try to match these credentials against existing bank accounts, the FBI notes.  "Credential stuffing, just like most parts of the cybercrime marketplace, can be consumed as a service. This means the malware to obtain credentials can be used as a service. The credentials can simply be bought and put into credential stuffing services that are consumed peruse or based on attack parameters," Hoffman says.

Pierson adds, "The problem of credential stuffing has reached epidemic proportions. Cybercriminals no longer must resort to phishing emails to get credentials.  All they have to do is try a username, usually the email address they see on the dark web, and any exposed password they can find."

Jim McKee, CEO of Red Sky Alliance stated in October 2020, “Does your organization have Username and Password combinations available on the Dark Web?  Red Sky Alliance’s RedXray service can show you in seconds without a network connection software to download or a network appliance.  Can you afford to not know.”

The installation, updating, and monitoring of firewalls, cybersecurity, and proper employee training are keys to blocking attacks.   Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.

What can you do to better protect your organization today?

  • All data in transmission and at rest should be encrypted.
  • Proper data back-up and off-site storage policies should be adopted and followed.
  • Implement 2-Factor authentication company-wide. (Read MFA)
  • Join and become active in your local Infragard chapter, there is no charge for membership.
  • Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
  • Institute cyber threat and phishing training for all employees, with testing and updating.
  • Recommend/require cybersecurity software, services, and devices to be used by all at home working employees and consultants.
  • Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
  • Ensure that all software updates and patches are installed immediately.
  • Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, without having to connect to your network. 
  • Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.

Red Sky Alliance has been analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.

Articles about the cyber threat groups mentioned in this report can be found at    There is no charge for access to these reports.

Our services can help protect with attacks such as these.  We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.

The installation, updating, and monitoring of firewalls, cybersecurity, and proper employee training are keys to blocking attacks.  Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.  For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or    



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance