Published: 19 May 2025
Prepared by: Joel D'Souza, Technical Customer Success Manager
The Triskele Labs DFIR team is aware of active threat actor campaigns targeting several Australian retailers through credential stuffing attacks. The purpose of this alert is to provide insights into this attack vector and provide technical controls that can be employed to mitigate these attacks.
On May 18th, 2025, Triskele Labs was made aware of several successful credential stuffing attacks that allowed threat actors to gain access to customer accounts of an Australian retailer’s web store. These accounts had previously saved payment card information that was then used to purchase several gift cards for recirculation and sale on the dark web and other platforms.
A credential stuffing attack occurs when a threat actor uses a list of stolen usernames and passwords, typically sourced from previous data breaches, to attempt to access websites and cloud resources.
This attack vector exploits the tendency of users to reuse the same passwords across multiple, unrelated websites for convenience.
The attack is highly automated, leveraging tools to test thousands of credentials in a short timeframe and targeting publicly accessible e-commerce and SaaS portals. To avoid detection, threat actors typically rotate IP addresses and use low-cost Virtual Private Networks (VPNs).
Organisations can investigate their Web Application Firewall (WAF) logs and Identity and Access Management (IDAM) providers for signs of credential stuffing, such as:
Enforce Multi-factor Authentication (MFA)
Multifactor authentication allows additional verification factors beyond the use of a password. If a password is compromised through credential stuffing, the attacker cannot log in without the use of the second factor, preventing access to the account.
Rate limiting helps mitigate credential stuffing by restricting the number of login attempts allowed from a single IP address or user account within a defined time window. When thresholds are exceeded, additional controls such as temporary account lockouts, session delays, or automated blacklisting of the offending IP address can be applied to disrupt automated attack patterns and reduce system abuse.
CAPTCHA or bot detection controls can be deployed on login pages to differentiate between humans or automated credential stuffing bots based on spikes in login failure rates or when anomalous traffic patterns are detected.
By applying geofencing, VPN detection, and IP reputation intelligence, organisations can restrict login attempts from high-risk regions or block traffic originating from countries where they do not conduct business. This approach helps reduce unnecessary exposure and narrows the attack surface against automated credential stuffing campaigns.
Launch user education initiatives to reduce password reuse. Emphasise the importance of unique, complex passwords and promote the use of password managers.
Transitioning to passwordless authentication can address the root cause of credential stuffing. Leveraging methods like Magic Links sent through emails may decrease the attack surface.
References used for the generation of this release: