Technical Articles
F5 SMEs share good practice.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner
F5 Employee
F5 Employee


In this article you will learn how to configure and use Leaked Credential Check (LCC). LCC provides access to a database of compromised credentials, which can be used to detect and prevent a Credential Stuffing Attack.  LCC is a subscription-based service which can be added to BIG-IP Advanced WAF.


Leaked Credential Check stops leaked or stolen credentials from being used to access personal or business applications. It automatically detects and mitigates compromised credential use. If compromised credentials are detected during an attempted login, Leaked Credential Check enables several mitigation options for SecOps teams to enact, individually or collectively, including:

  • Requiring the user to employ multi-factor authentication (MFA) before granting access.
  • Redirecting the user to another application page; for example, a customer support web page.
  • Responding to the suspicious login with a preset page requesting further action by the user, such as contacting customer support.
  • Blocking the user and their login from accessing the application.
  • Sending an alert to the SecOps team to take additional action

This article assumes you have Advanced WAF configured and deployed for one or more Virtual Servers and you have purchased the add-on subscription for LCC. 

Typical Steps Involved in a Credential Stuffing Attack


High Level Network Topology


Configuration Steps

From the BIG-IP Configuration Utility select Security > Application Security > Security Policies > Policies List.


Notice the Policy name in this example is Leaked-Credential-Check. There are 2 Virtual Servers attached to this policy, vs_arcadia.emea.f5se.com_II and vs_Hackazon_IV.


LCC is configured from Security > Cloud Services > Cloud Security Services Applications.


Click the name of the Cloud Security Application, f5-credential-stuffing-cloud-app in this example.

Note: if the application has not been created yet click the Create button on the right.


Give it a name if creating a new app. Set the Service Type to Blackfish Credential Stuffing Service. Enter your API Key ID and Secret. Specify the Endpoint, f5-credential-stuffing-blackfishin this example.


Click Save when done


LCC is enabled in Security > Application Security > Brute Force Attack Prevention.


Check the box to Enable Detection


Under Action you can choose different mitigation Actions.


Alarm: report the Leaked Credentials Detection violation in the Event Log

Alarm and Blocking Page: report the Leaked Credentials Detection violation in Event Log and send the Blocking Response Page

Alarm and Honeypot Page: report the Leaked Credentials Detection violation in Event Log and send the Honeypot Response Page

Alarm and Leaked Credentials Page: report the Leaked Credentials Detection violation in Event Log and send the Leaked Credentials Page

Select Learning and Blocking Settings to configure them.


For Sessions and Logins set Leaked Credentials Detection to Alarm and Block.


The Honeypot Page and Leaked Credentials Page can be configured from Security > Application Security > Security Policies > Policies List


Select the Leaked-Credential-Check Policy


Select Response and Blocking Pages on the left.


Scroll down and the Failed Login Honeypot response and Leaked Credentials response can be configured here.


Test Leak Credentials Detection

Attempt to login to your web application using known leaked credentials. In this example we’ll use “HACKAZON”. Click the Sign In link near the top on the right.


Attempt to login using the following:

Password: mountainman01


The login should fail.


Try to login with the following credentials:

Username: admin
Password: 12345678

Check the BIG-IP Event Log

From the Configuration Utility go to Security > Event Logs > Application > Requests.


There are two requests at the top that look important.


Select the first one. Here we can see details about the request. As suspected, the violation was due to the Leaked Credentials Detection policy.


Scroll down under Request and you can see the username and password that triggered the violation.


Now select the second one. As you can see, this violation was triggered by the login attempt with the username “”.



Congratulations! You have successfully configured and test Leak Credential Checking.

Version history
Last update:
‎24-Nov-2021 09:28
Updated by: