Your IP: Unknown · Your Status: Unprotected Protected


Blog In Depth

How to avoid credential stuffing

May 15, 2020 · 2 min read

How to avoid credential stuffing

Imagine: one day, you find yourself locked out of all your accounts. Netflix, Facebook, Uber are all blocked. Someone is making expensive purchases from your Amazon wallet. You realize that you used the same username and password for all these accounts. You have just fallen for a credential stuffing attack.

What is credential stuffing?

Credential stuffing is a cyberattack where hackers use breached usernames and passwords to access victims’ accounts. They obtain credentials either by purchasing them on the dark web, accessing leaked databases (you can check whether your password is known to have been breached here), or employing social engineering techniques.

Hackers then try these credentials to access various apps or sites. Once they break in, they can do all kinds of criminal activities with your sensitive data: sell it, hold it for ransom, or just use it for their own needs.

Credential stuffing might be compared to a brute force attack, but it’s not exactly the same. Even though both attacks stuff login credentials on multiple accounts until they succeed, the main difference is that in brute force attacks hackers generate passwords themselves. In credential stuffing, data is taken from other sources.

How credential stuffing works

Let's say you use a car-share app that you log into with your email and password. However, you use the same credentials on other apps; you just find it too difficult to remember different passwords for all of them. The app experiences a data leak due to poor security measures. Your credentials end up in a database obtained by hackers. They can now use that data to get into your car-share app. Later they will stumble upon other apps and will hack them too.

Trying multiple login credentials on an endless number of websites can be tedious. Therefore, to maximize the success rate of these attacks, hackers don’t do the dirty work themselves. They employ botnets.

Imagine you find someone’s keys on the street. It would be quite challenging to try it on every door in the city. But if you employ a robot to automate this process, you will increase the scale and speed of the attack. The chances of hitting the jackpot will be way higher.

How to prevent credential stuffing

A credential stuffing attack can cause a great deal of damage for you or your company. Businesses lose millions every year due to these attacks, while private users experience a great deal of financial and emotional distress. Here are a few tips on how to avoid falling for a credential stuffing attack:

  • Use complex passwords and do not reuse them across different accounts. Password managers, like NordPass, will help you store and remember all your passwords;
  • Use multifactor authentication. This will add additional obstacles for hackers;
  • Do not share your credentials with people you don’t trust and don’t leave them out in the open;
  • Watch for unrecognized devices trying to access your account and block the suspicious ones;
  • Immediately change your passwords in the event of a credential leak. Do the same with other accounts for which you use the same passwords.

To learn more about cybersecurity, subscribe to our monthly blog newsletter below!


Paul Black
Paul Black successVerified author

Paul is a technology and art enthusiast who is always eager to explore the most up-to-date issues in cybersec and internet freedom. He is always in search for new and unexplored angles to share with his readers.


Subscribe to NordVPN blog