Skip to main content


Home Reverse brute-force attack

Reverse brute-force attack

(also reverse brute force attack)

Reverse brute-force attack definition

A reverse brute-force attack is an indiscriminate cyberattack where the hacker tries one password on as many accounts as possible. It flips the regular brute-force attack on its head — in this case, the attacker knows a common password and is trying to guess which username goes with it.

Reverse brute-force attacks often target organizations with predictable account names (e.g., name.surname@organization.org), leaked account databases, or publicly available account lists.

Real reverse brute-force attack examples

  • Breaking into government systems that publicly list staff email addresses
  • Attacks on email lists obtained on the dark web — without the accompanying passwords, these compilations can be purchased very cheaply on shady online marketplaces

Stopping a reverse brute-force attack

  • Use a strong password because reverse brute-force attacks prey on accounts with common passwords.
  • Use multi-factor authentication (MFA) — this way, even if hackers manage to guess your password, they won’t automatically break into your account.
  • Use a reliable password manager like NordPass to generate unique passwords for each of your accounts.