Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

FBI Warns of Proxies and Configurations Used in Credential Stuffing Attacks

The Federal Bureau of Investigation (FBI) has raised an alarm for cybercriminals using proxies and configurations to hide and automate credential stuffing attacks against companies in the United States.

The Federal Bureau of Investigation (FBI) has raised an alarm for cybercriminals using proxies and configurations to hide and automate credential stuffing attacks against companies in the United States.

Creedential stuffing attacks, also called account cracking, involve trying to access online accounts using username and password combinations from existing data leaks or which were purchased on dark web portals.

Relying on the fact that users often reuse the same logins for multiple accounts, credential stuffing attacks often lead to significant financial losses caused by fraudulent purchases and system downtime and remediation, but also result in reputational damage.

The use of valid credentials allows cybercriminals to access accounts and services across a variety of industries, including media companies, healthcare, retail chains, restaurant groups, and food delivery firms.  

Once accounts are compromised, the attackers make fraudulent purchases of goods and services, and also attempt to access additional online resources, including financial accounts, the FBI said in an advisory [PDF].

Proxies and configurations, the Bureau warns, allow cybercriminals to automate the brute-forcing and exploitation of accounts.

[ READ: LastPass Automated Warnings Linked to ‘Credential Stuffing’ Attack ]

“In particular, media companies and restaurant groups are considered lucrative targets for credential stuffing attacks due to the number of customer accounts, the general demand for their services, and the relative lack of importance users place on these types of accounts,” the FBI said.

The agency warned that cybercriminals can purchase ‘combo lists’ of usernames and passwords from dedicated forums and websites, along with configurations or ‘configs’, which allow them to customize credential stuffing tools for specific targets.

The config may include the website’s address, HTTP request format, how to recognize successful attempts, whether proxies are required, and the like. The FBI also warns that cybercriminals can access video tutorials to learn how credential stuffing can be used to crack accounts.

Working with the Australian Federal Police, the FBI said it identified two websites selling more than 300,000 unique sets of credentials to more than over 175,000 registered customers.

To bypass defenses, threat actors may employ proxies, including legitimate proxy services, to obfuscate their actual IP addresses. According to the FBI, cybercriminals have extensively used residential proxies to execute credential stuffing attacks, as these are blocked less frequently compared to proxies associated with data centers.

[ READ: Why Are Users Ignoring Multi-Factor Authentication? ]

“In some instances, actors conduct credential stuffing attacks without the use of proxies, requiring less time and financial resources to execute. Some cracking tools, including one of the most popular automated attack tools, allow actors to run the software without proxies,” the FBI added.

In some observed attacks, a company’s mobile applications are also targeted, as they often have weaker security protocols and may permit a higher rate of login attempts. Using packet capture software, the attackers learn about the authentication mechanism employed by the target, and then create custom configurations for credential stuffing activities.

To mitigate such attacks, the FBI recommends that organizations enable multi-factor authentication (MFA), educate users on good password hygiene, use fingerprinting to detect unusual activity, implement shadow banning (limiting user access), use strong security protocols in mobile applications, check online for configurations tailored for their websites and for compromised user credentials, and employ cloud protection services.

Related: NY AG: Credential Stuffing Impacts 1.1 Million Users at 17 Companies

Related: LastPass Automated Warnings Linked to ‘Credential Stuffing’ Attack

Related: Credential Stuffing: a Successful and Growing Attack Methodology

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.