March 4, 2025
How New AI Agents Will Transform Credential Stuffing Attacks
Credential stuffing attacks had a huge impact in 2024, fueled by a vicious circle of infostealer infections and data breaches. But things could be about to get worse still with Computer-Using Agents, a new kind of AI agent that enables low-cost, low-effort automation of common web tasks — including those frequently performed by attackers. Stolen credentials: The cyber criminal’s weapon of choice

Credential stuffing attacks had a huge impact in 2024, fueled by a vicious circle of infostealer infections and data breaches. But things could be about to get worse still with Computer-Using Agents, a new kind of AI agent that enables low-cost, low-effort automation of common web tasks — including those frequently performed by attackers.

Stolen credentials: The cyber criminal’s weapon of choice in 2024

Stolen credentials were the #1 attacker action in 2023/24, and the breach vector for 80% of web app attacks. Not surprising when you consider the fact that billions of leaked credentials are in circulation online, and attackers can pick up the latest drop for as little as $10 on criminal forums.

The criminal marketplace for stolen credentials is benefitting from the publicity of high-profile breaches in 2024 such as the attacks on Snowflake customers using credentials found in data breach dumps and compromised credential feeds from infostealer and mass phishing campaigns, resulting in the compromise of 165 customer tenants and hundreds of millions of breached records.

But despite 2024 being an unprecedented year in terms of the impact of identity-based attacks, there’s still a lot of unfulfilled potential for attackers to realize.

Credential attack automation — what’s changed with the shift to SaaS?

Brute forcing and credential stuffing are nothing new, and have been a key component of the cyber attacker toolkit for decades. But it’s not quite as easy to automatically spray credentials across systems as it once was.

No more one-size-fits-all

Rather than a single centralized network with apps and data contained within an infrastructure perimeter, business IT is now formed of hundreds of web-based apps and platforms, creating thousands of identities per organization.

This means that identities too are now decentralized and distributed all over the internet, as opposed to being stored solely in identity systems like Active Directory, and implemented using common protocols and mechanisms.

While HTTP(S) is standard, modern web apps are complex and highly customized, with a graphically-driven interface that is different every time. And to make matters worse, modern web apps are specifically designed to prevent malicious automation through bot protections like CAPTCHA.

So rather than encountering standard protocols and being able to write a single set of tools to use across any organization/environment e.g. write a DNS scanner once, use a single port scanner like Nmap for the entire internet, write a single script per service (e.g. FTP, SSH, Telnet, etc.) for your password sprayer — custom tool development is instead required for every app that you want to target.

Finding the needle in the haystack

Not only are there more environments for attackers to include in the scope of their attack, but there are more credentials to work with.

There are around 15 billion compromised credentials available on the public internet, not including those found only in private channels/feeds. This list is growing all of the time — like 244M never-before-seen passwords and 493M unique website and email address pairs being added to Have I Been Pwned from infostealer logs just last month.

This sounds scary, but it’s tricky for attackers to harness this data. The vast majority of these credentials are old and invalid. A recent review of TI data by Push Security researchers found that fewer than 1% of stolen credentials included in threat intelligence feeds from a multi-vendor data set was actionable — in other words, 99% of compromised credentials were false positives.

But not all of them are useless — as the Snowflake attacks demonstrated, which successfully leveraged credentials dating back to 2020. So there are clearly treasures waiting to be discovered by attackers.

Attackers are forced to prioritize

The distributed nature of apps and identities, and the low reliability of compromised credential data, means attackers are forced to prioritize — despite a target-rich environment of hundreds of business apps, creating thousands of sprawled identities per organization, because:

  • Writing and running custom python scripts for every single app (there are more than 40k SaaS apps on the internet) is not realistic. Even if you did the top 100 or 1000 that would be a significant task and require constant maintenance, while barely scratching the surface of the total opportunity.
  • Even when fully scripted and using a botnet to distribute the attack and avoid IP blocking, controls like rate limiting, CAPTCHA, and account lockouts can obstruct mass credential stuffing against a single app. And a concentrated attack on a single site is going to generate significant levels of traffic if you want to get through 15 billion passwords in a reasonable timeframe, so it’s very likely to raise the alarm.

So attackers tend to target a smaller number of apps, and only look for a direct match in terms of the credentials attempted (e.g. the stolen credential must directly belong to an account on the target app). When they do go after something new, it tends to be concentrated on a specific app/platform (e.g. Snowflake) or looking for a narrower subset of credentials (e.g. credentials clearly associated with edge devices, for more traditional network environments).

A missed opportunity?

As we’ve established, the situation regarding credential stuffing attacks is already pretty bad despite these limitations. But things could be significantly worse.

Password reuse means a single compromised account could turn into many

If attackers were able to increase the scale of their attacks to target a broader number of apps (rather than concentrating on a shortlist of high value apps) they could take advantage of all-too-common password reuse. According to a recent investigation of identity data, on average:

  • 1 in 3 employees reuse passwords
  • 9% of identities have a reused password AND no MFA
  • 10% of IdP accounts (used for SSO) have a non-unique password

What does this mean? If a stolen credential is valid, there’s a good chance that it can be used to access more than one account, on more than one app (at least).

Picture the scenario: A recent compromised credential leak from infostealer infections or credential phishing campaigns shows that a particular username and password combination is valid on a specific app — let’s say Microsoft 365. Now, this account is pretty locked down — not only does it have MFA, but there are conditional access policies in place restricting the IP/location it can be accessed from.

Usually, this is where the attack would end, and you’d turn your attention to something else. But what if you were able to spray these credentials across every other business app that the user has an account on?

Scaling credential attacks with Computer-Using Agents

Until now, the impact of AI on identity attacks has been limited to the use of LLMs for the creation of phishing emails, in AI-assisted malware development, and for social media bots — no doubt significant, but not exactly transformative, and requiring constant human oversight and input.

But with the launch of OpenAI Operator, a new kind of “Computer-Using Agent”, this could be about to change.

Operator is trained on a specialist dataset and implemented in its own sandboxed browser, meaning it is able to perform common web tasks like a human — seeing and interacting with pages as a human would.

Unlike other automated solutions, Operator requires no custom implementation or coding to be able to interact with new sites, making it a much more scalable option for attackers looking to target a broad sweep of sites/apps.

Demo: Using Operator to conduct credential stuffing attacks at-scale

Researchers at Push Security put the malicious use-cases of Operator to the test, using it to:

  • Identify which companies have an existing tenant on a list of apps
  • Attempt to login to various app tenants with a provided username and password

Impact summary

The results were pretty eye-opening. The operator clearly demonstrated the ability to target a list of apps with compromised credentials and perform in-app actions. Now think about this x10, x100, x10,000 … These are not complex tasks. But the value of CUAs Operator is not in tackling complexity, but scale. Imagine a world where you can orchestrate Operator windows via API and get it to execute these actions simultaneously (functionality that exists already for ChatGPT).

But this is bigger than Operator — it’s about the direction of the technology. OpenAI may implement restrictions — better in-app guardrails, rate limits on the number of concurrent tasks and total usage, etc. But you can guarantee it won’t be the only CUA — it’s only a matter of time before similar products emerge (maybe even inherently malicious ones) making use of the same technology.

Final thoughts

It’s still early days for CUA tech, but there’s a clear indication that an already severe security challenge could be made worse with this particular form of AI-driven automation. While the ability to target a broad set of apps has been previously beyond the scope of traditional automation, it’s about to become much more accessible to even low-skilled attackers (think: next gen script kiddies?).

Another way to think about it is that it effectively gives a human attacker a fleet of low-level interns who don’t quite know what they’re doing, but can be instructed to perform specific, itemised tasks at scale with only the occasional check in — while you work on other, more complex tasks. So, a bit like a red team manager of AI bots.

Operator means that attackers can leverage compromised credentials at-scale, take advantage of the vast numbers of vulnerable and misconfigured identities, and convert them into systemic breaches much more easily. In a way, it could make credential stuffing a bit more like it was before the shift to cloud apps — where you could spray thousands of credentials across your targets without needing custom development every time.

Thankfully, no new anti-AI capabilities are required — but it’s more important than ever that organizations look to defend their identity attack surface and find and fix identity vulnerabilities before attackers can take advantage of them.

Find out more

If you want to learn more about identity attacks and how to stop them, check out Push Security — you can book a demo or try out their browser-based platform for free.

And if you want to see them demo more malicious use cases of Operator, check out this on-demand webinar.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related News

Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm

Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm

Suspected Iranian Hackers Used Compromised Indian Firm’s Email to Target U.A.E. Aviation Sector Suspected Iranian Hackers Used Compromised Indian Firm's Email to Target U.A.E. Aviation Sector

Suspected Iranian Hackers Used Compromised Indian Firm’s Email to Target U.A.E. Aviation Sector

Over 4,000 ISP IPs Targeted in Brute-Force Attacks to Deploy Info Stealers and Cryptominers Over 4,000 ISP IPs Targeted in Brute-Force Attacks to Deploy Info Stealers and Cryptominers

Over 4,000 ISP IPs Targeted in Brute-Force Attacks to Deploy Info Stealers and Cryptominers

Google’s March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities

Google’s March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities

You may have missed

Waymo, Uber begin offering robotaxi rides in Austin ahead of SXSW Waymo, Uber begin offering robotaxi rides in Austin ahead of SXSW

Waymo, Uber begin offering robotaxi rides in Austin ahead of SXSW

Google’s Pixel 10 Series Could Finally Bring This Contextual AI Assistant Google's Pixel 10 Series Could Finally Bring This Contextual AI Assistant

Google’s Pixel 10 Series Could Finally Bring This Contextual AI Assistant

NASA’s New Missions Will Map the Sun and the Cosmos NASA’s New Missions Will Map the Sun and the Cosmos

NASA’s New Missions Will Map the Sun and the Cosmos

Realme 14 Pro+ 5G 512GB Storage Variant Now Available in India: See Price Realme 14 Pro+ 5G 512GB Storage Variant Now Available in India: See Price

Realme 14 Pro+ 5G 512GB Storage Variant Now Available in India: See Price

Vivo Y300i Design, Key Features Surface Online via China’s Telecom Website Vivo Y300i Design, Key Features Surface Online via China's Telecom Website

Vivo Y300i Design, Key Features Surface Online via China’s Telecom Website

Oppo’s Apps Will Now Be Integrated With Google’s Gemini Oppo’s Apps Will Now Be Integrated With Google’s Gemini

Oppo’s Apps Will Now Be Integrated With Google’s Gemini