Skip to main content

Home Credential stuffing

Credential stuffing

Credential stuffing definition

Credential stuffing is a cyberattack where hackers use breached usernames and passwords to access victims’ accounts. They obtain credentials either by purchasing them on the dark web, accessing leaked databases, or employing social engineering techniques. Hackers then try using these credentials to access people’s accounts on various apps or websites. Once they break in, they can sell your account, hold it for ransom, or use it for other attacks.

How credential stuffing attacks happen

  • A website or a service you use suffers a data breach, and its users’ credentials are leaked online.
  • A hacker obtains the leaked database and uses the email/password combinations to try logging into other popular websites (Facebook, Instagram, Twitter, Gmail, etc.).
  • If you reuse the same password for multiple websites, the hacker successfully accesses your account and is able to do anything they want with it.

How to prevent credential stuffing

  • Practice good password hygiene. Use complex, unique passwords and change the passwords on your most sensitive account more often.
  • Set up two-factor authentication. Even if a hacker is able to get your password, it will be useless without the additional authentication.
  • Follow cybersecurity news. If you hear that a service you use was breached, change your password immediately.