February 9, 2021

E-mail Plus Addressing Against Credential Stuffing

Credential Stuffing

Before I start I should probably say what credential stuffing and e-mail plus addressing are. Knowing what credential stuffing is will also let you understand why you should care.


Credential Stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to brute force or guess any passwords – the attacker simply automates the logins for a large number (thousands to millions) of previously discovered credential pairs using standard web automation tools like Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks such as: Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.

Credential stuffing attacks are possible because many users reuse the same username/password combination across multiple sites, with one survey reporting that 81% of users have reused a password across two or more sites and 25% of users use the same passwords across a majority of their accounts.

Read more at https://en.wikipedia.org/wiki/Credential_stuffing and https://www.cloudflare.com/en-gb/learning/bots/what-is-credential-stuffing/

If you want to know if your e-mail address has been compromised have a look at Have I been Pwned

Plus e-mail addressing Some mail services support a tag included in the local-part, such that the address is an alias to a prefix of the local part. For example, the address [email protected] denotes the same delivery address as [email protected]. E-mail standards refer to this convention as sub-addressing, but it is also known as plus addressing, tagged addressing or mail extensions.

Addresses of this form, using various separators between the base name and the tag, are supported by several email services, including Andrew Project (plus), Runbox (plus), Gmail (plus), Rackspace (plus), Yahoo! Mail Plus (hyphen), Apple’s iCloud (plus), Outlook.com (plus), ProtonMail (plus), Fastmail (plus and Subdomain Addressing), postale.io (plus), Pobox (plus), MeMail (plus), MMDF (equals), Qmail and Courier Mail Server (hyphen). Postfix and Exim allow configuring an arbitrary separator from the legal character set.

The text of the tag may be used to apply filtering, or to create single-use, or disposable email addresses.

Read more at https://en.wikipedia.org/wiki/Email_address#Subaddressing

How does knowing this help me?

To prevent criminals from hijacking your accounts at various websites you should do the basics right by always using unique and strong passwords. The best way to do this is to use a password manager. I you are using a Mac the built-in keychain is adequate as password manager but has the disadvantage of only working with Safari the native browser. There are quite a few good password managers available for Mac and windows.

If multi-factor authentication (MFA) is available for a website you should use it as well.

Many sites use an e-mail address as username. If you use a plus address instead of your normal e-mail address as your username, you can have a unique username for each site that uses an e-mail address as username. You can for example use [email protected] for one site and [email protected] for the next site.

If criminals steal the credentials for site1 they will have username/password pair that cannot be used for credential stuffing at all because it is unique. You will also know who gave away your e-mail if you start getting spam at [email protected] and you can easily block it.

Using plus addressing is only another small part in making life more difficult for criminals and is by no means a substitute for good passwords and MFA. Some websites also don’t allow plus signs in e-mail addresses on their forms. To me these sites are immediately suspect because they either have incompetent programmers and web designers or they deliberately don’t allow it to make abusing your e-mail address easier.

© Arnold Greyling 2023