In this article, we cover the details of a heavily distributed credential-stuffing attack that targeted a major US financial service company (spoiler: there were some pretty clear signs of device spoofing, as you'll see below). By the end of the bot attack, which lasted 6 days, Castle blocked more than 11.8M malicious login attempts.
As a reminder, credential stuffing is the act of trying large amounts of stolen credentials with the purpose of gaining unauthorized access to accounts (account takeover). The attacker made 11,804,332 login attempts over more than 6 days, and the attack reached a spike of a whopping 208k login attempts per hour on December 10th. For reference, the regular login volume is about 10k per hour.
More Info