Credential Stuffing

Credential stuffing is a cyberattack in which credentials obtained from a data breach on one website or application
are used to attempt to log in to your properties, typically in an automated fashion.


For example, a user on your websites email address and password may have been leaked online in a popular hack, such as the LinkedIn or Adobe ones.

Bots will then try to login to your site with that email and password, and if it works report that to be used for abuse.

Mitigating Credential Stuffing

Preventing credential stuffing is actually quite simple and relies on two primary considerations:

  1. The rate of requests needed to test a leaked list
  2. Pre-emptive blocking of known threats
  3. Detection and blocking of bots

Using Nova's Bot and Post Protection options you can easily slow down and block automated login attempts. It will automatically limit login attempts on your site to prevent abusive behaviour.

You may then optionally enable the NovaSense threat intelligence system on your Nova to pre-emptively block known malicious hosts engaged in cybercrime. This is an extremely effective method to block unwanted