Reverse brute-force attack definition

An indiscriminate cyberattack where the hacker tries one password on as many accounts as possible. It flips the regular brute-force attack on its head — in this case, the attacker knows a common password and is trying to guess which username goes with it.

Reverse brute-force attacks often target organizations with predictable account names (e.g., name.surname@organization.org), leaked account databases, or publicly available account lists.

Real reverse brute-force attack examples

• Breaking into government systems that publicly list staff email addresses
• Attacks on email lists obtained on the dark web — without the accompanying passwords, these compilations can be purchased very cheaply on shady online marketplaces

Stopping a reverse brute-force attack

• Use a strong password because reverse brute-force attacks prey on accounts with common passwords.
• Use multi-factor authentication (MFA) — this way, even if hackers manage to guess your password, they won’t automatically break into your account.
• Use a reliable password manager like NordPass to generate unique passwords for each of your accounts.

Further reading