12/20/2024

Anatomy of a 6-day Credential Stuffing Attack From 2.2M Residential IPs

Security Boulevard

In this article, we cover the details of a heavily distributed credential-stuffing attack that targeted a major US financial service company (spoiler: there were some pretty clear signs of device spoofing, as you'll see below). By the end of the bot attack, which lasted 6 days, Castle blocked more than 11.8M malicious login attempts.

Credential stuffing attack metrics

• Date: from December 7th around ~3 am UTC lasted until December 13th 0:30am UTC
• Attack duration: 6 days
• Endpoint targeted: login
• Type of attack: credential stuffing
• Volume of requests: 11,804,332 malicious login events
• Maximum velocity: 208k login events per hour
• Number of IPs involved: 2,217,488 IP addresses

Credential stuffing attack overview

As a reminder, credential stuffing is the act of trying large amounts of stolen credentials with the purpose of gaining unauthorized access to accounts (account takeover). The attacker made 11,804,332 login attempts over more than 6 days, and the attack reached a spike of a whopping 208k login attempts per hour on December 10th. For reference, the regular login volume is about 10k per hour.