Skip to content

Credential stuffing

If you only have 5 minutes:

  • You should never share passwords between services.
  • Ensure that if one app or service asks you to change your password, that you change them elsewhere too.
  • Think carefully where else you might have used that password without thinking, especially if you used logged in using a social media identity, e.g. logging into a coffee shop website using Facebook.


What is… credential stuffing?

Credential stuffing is a cyber attack in which credentials obtained from a data breach on one service are used to attempt to log in to another unrelated service.

The criminal obtains multiple stolen login credentials and attack other services with those logins, relentlessly over the internet.

The threat is large and growing, in the largest known cyberattack of this type one company detected over 28 billion attacks.

As of 2019, credential stuffing has been on the rise thanks to massive lists of breached credentials being traded and sold on the dark web.

How users can prevent credential stuffing

From a user’s point of view, defending against credential stuffing is pretty straightforward. Users should always use unique passwords for each different service (an easy way to achieve this is with a password manager). If a user always uses unique passwords, credential stuffing will not work against their accounts. As an added measure of security, users are encouraged to always enable two-factor authentication when it’s available. Two-factor authentication is verifying any log-in on a different device, e.g. logging in from your mobile via an app and being sent an email asking if it was you that logged in.

What you should expect businesses and services to do to prevent credential stuffing

Credential stuffing occurs as a result of data breaches at other companies. A company that is the victim of a credential stuffing attack has not necessarily had their security compromised.

Businesses and services could ask you to use a unique password, but they cannot enforce that in any way.

You may be asked to undertake a second layer of authentication, such as two-factor authentication, or Captcha, to prove you are not a bot. These are inconvenient but only take a short while and the delay is worth the secure service that they enable.