Credential stuffing in bug bounties

For those of you know who don’t know about credential stuffing here is a rough explanation :

Many people use the same username and password for multiple online accounts. When hackers get a hold of login details from one site (often through data breaches), they use those same credentials to try to access other sites.

One fine day, I got invited to a private program. I started by reading the policy scope and noticed that they were particularly interested in leaks, as mentioned below in the image ,in the in scope section.”

So i thought lets dive deep into this i’ve never heared about credential stuffing before all i knew was you could put an email in websites like have i been pwnd or dehased to check if your pass was breached or your data was on the dark web. Now google also offers some solution where you can scan your personal email and check if it was leaked :https://one.google.com/dwr/setup_profile?g1_landing_page=4.

So, I asked myself what to do next to look for leaks. I could either go to the dark web and do my research, which was time-consuming, or take a premium subscription from some third-party services like DeHashed for around 4–5 USD and look for the emails.

But where to find emails? It’s ez-pz nowadays — all you need are some OSINT skills.

So, I found some emails and collected the passwords. At that time, I had no idea about credential stuffing, so I simply reported everything to the company. And they responded this :

So it was good profit for me as I got a decent bounty as compared to what I invested.

My take :

I’ve noticed that many companies on platform X consider findings like these unethical if you use the credentials to log in. I suppose it varies from company to company, so always read the in-scope section carefully to avoid legal trouble.I’ve talked with some BB hunters who were also rewarded for these type of findings.

Follow me on X : https://x.com/bunny_0417
Follow me on LinkedIn: https://www.linkedin.com/in/bunny0417/