Reverse brute-force attack definition
A reverse brute-force attack is an indiscriminate cyberattack where the hacker tries one password on as many accounts as possible. It flips the regular brute-force attack on its head — in this case, the attacker knows a common password and is trying to guess which username goes with it.
Reverse brute-force attacks often target organizations with predictable account names (e.g., name.surname@organization.org), leaked account databases, or publicly available account lists.
Real reverse brute-force attack examples
- Breaking into government systems that publicly list staff email addresses
- Attacks on email lists obtained on the dark web — without the accompanying passwords, these compilations can be purchased very cheaply on shady online marketplaces
Stopping a reverse brute-force attack
- Use a strong password because reverse brute-force attacks prey on accounts with common passwords.
- Use multi-factor authentication (MFA) — this way, even if hackers manage to guess your password, they won’t automatically break into your account.
- Use a reliable password manager like NordPass to generate unique passwords for each of your accounts.
