What is credential stuffing (and how to protect yourself)

Hackers can use different techniques and methods to steal your passwords. One way they can use your stolen personal data is called credential stuffing. Read on to learn more about what credential stuffing entails and how you can help protect yourself.

Credential Stuffing Defined

Credential stuffing is a type of security breach in which hackers use stolen lists containing usernames and passwords and try to gain unauthorized access. It’s also known as “breach replay” or “list cleaning.” According to Microsoft’s Tech Community, hackers try credential stuffing on tens of millions of accounts on a daily basis.

How Does Credential Stuffing Work?

Not all sites are developed equal, and data breaches take place easily on websites with poor security protocols. Cybercriminals regularly hack such websites and can steal user credentials in the form of lists. They then try the same username and passwords on multiple websites to gain unauthorized access. The reason why credential stuffing actually works is that people reuse the same password across multiple websites. This way, hackers can gain access to those websites that have strong security protocols.

How to Avoid Credential Stuffing?

The best way to avoid credential stuffing is not only to use strong but also unique passwords on each website. In case if one of your passwords is stolen, that won’t allow a hacker to access your information on any other account. Moreover, you also don’t have to remember each unique password by heart as you can use a good password manager that remembers every password for you.

A total of 500 million Zoom accounts are for sale on the dark web thanks to “credential stuffing.” It’s a common way for criminals to break into accounts online. Here’s what that term actually means and how you can protect yourself.

It Starts With Leaked Password Databases

Attacks against online services are common. Criminals often exploit security flaws in systems to acquire databases of usernames and passwords. Databases of stolen login credentials are often sold online on the dark web, with criminals paying in Bitcoin for the privilege of accessing the database.

Let’s say you had an account on the Avast forum, which was breached back in 2014. That account was breached, and criminals may have your username and password on the Avast forum. Avast contacted you and had you change your forum password, so what’s the problem?

Unfortunately, the problem is that many people reuse the same passwords on different websites. Let’s say your Avast forum login details were “[email protected]” and “AmazingPassword.” If you logged into other websites with the same username (your email address) and password, any criminal who acquires your leaked passwords can gain access to those other accounts.

Credential Stuffing in Action

“Credential stuffing” involves using these databases of leaked login details and trying to log in with them on other online services.

Criminals take large databases of leaked username and password combinations—often millions of login credentials—and try to sign in with them on other websites. Some people reuse the same password on multiple websites, so some will match. This can generally be automated with software, quickly trying many login combinations.

For something so dangerous that sounds so technical, that’s all it is—trying already leaked credentials on other services and seeing what works. In other words, “hackers” stuff all those login credentials into the login form and see what happens. Some of them are sure to work.

This is one of the most common ways that attackers “hack” online accounts these days. In 2018 alone, the content delivery network Akamai logged nearly 30 billion credential-stuffing attacks.

How to Protect Yourself

Protecting yourself from credential stuffing is pretty simple and involves following the same password security practices security experts have been recommending for years. There’s no magic solution—just good password hygiene. Here’s the advice:

  • Avoid Reusing Passwords: Use a unique password for each account you use online. That way, even if your password leaks, it can’t be used to sign in to other websites. Attackers can try to stuff your credentials into other login forms, but they won’t work.
  • Use a Password Manager: Remembering strong unique passwords is a nearly impossible task if you have accounts on quite a few websites, and almost everyone does. We recommend using a password manager like 1Password (paid) or Bitwarden (free and open-source) to remember your passwords for you. It can even generate those strong passwords from scratch.
  • Enable Two-Factor Authentication: With two-step authentication, you have to provide something else—like a code generated by an app or sent to you via SMS—each time you log in to a website. Even if an attacker has your username and password, they won’t be able to sign in to your account if they don’t have that code.
  • Get Leaked Password Notifications: With a service like Have I Been Pwned?, you can get a notification when your credentials appear in a leak.

How Services Can Protect Against Credential Stuffing

While individuals need to take responsibility for securing their accounts, there are many ways for online services to protect against credential-stuffing attacks.

  • Scan Leaked Databases for User Passwords: Facebook and Netflix have scanned leaked databases for passwords, cross-referencing them against login credentials on their own services. If there’s a match, Facebook or Netflix can prompt their own user to change their password. This is a way of beating credential-stuffers to the punch.
  • Offer Two-Factor Authentication: Users should be able to enable two-factor authentication to secure their online accounts. Particularly sensitive services can make this mandatory. They can also have a user click a login verification link in an email to confirm the login request.
  • Require a CAPTCHA: If a login attempt looks strange, a service can require entering a CAPTCHA code displayed in an image or clicking through another form to verify a human—and not a bot—is attempting to sign in.
  • Limit Repeated Login Attempts: Services should attempt to block bots from attempting a large number of sign-in attempts in a short period of time. Modern sophisticated bots may attempt to sign in from multiple IP addresses at once to disguise their credential-stuffing attempts.

Poor password practices—and, to be fair, poorly secured online systems that are often too easy to compromise—make credential stuffing a serious danger to online account security. It’s no wonder many companies in the tech industry want to build a more secure world without passwords.

Article by Chris Hoffman from how to geek.

What is credential stuffing (and how to protect yourself)

Credential stuffing can result in the possible loss of customer assets and unauthorized disclosure of sensitive personal information. Tempura/Getty Images

Cybercrime is nothing new. In the wake of the Coronavirus outbreak, phishing scams and other types of identity fraud spiked. Now, the Securities and Exchange Commission (SEC) has issued a Risk Alert about a recent uptick in a type of cyberattack known as “credential stuffing.”

Here’s what you should know about credential stuffing and how to protect yourself from this type of cyberattack.


Credential stuffing is an automated attack on web-based user accounts as well as direct network login account credentials. Basically, cyberattackers use the dark web to obtain lists of usernames, email addresses and corresponding passwords from previous hacks. Then they try those logins on other sites because, admit it, many of us tend to reuse the same username and password combinations. Of course, the best practice is not to use the same credentials and to add variability to all passwords.

According to the SEC, there has been an increase in attempts by cybercrooks to use this strategy to get into people’s financial accounts. Think of all the things you can do when you log in to your accounts at financial institutions. While there are a number of defenses in place at your financial institutions themselves, if a cybercriminal logs into your account, they may have access to steal your money.


Most companies continually work to detect and block credential stuffing attempts through a number of proactive actions. These include monitoring the dark web and checking to see if leaked information might be tied to their own customer’s usernames, blocking potential fraudsters from logging in and requiring stronger passwords and multifactor authentication (like getting a code texted to your phone in order to log in).


The key to keeping cybercriminals out of your accounts is to take a few moments to make sure you’re protecting yourself online :

Use a unique username and password for every account. We get it, there’s no way you can remember a unique username and password for all your different logins — particularly when you consider that you likely have a login for everything from your bank to your fast food chain (online ordering is a savior during COVID!).

The good news is that you don’t have to. You can keep track by using a password manager . You set these up by creating a master password (which should be long and complicated with numbers and special characters). Once you have committed that to memory, the service will do the rest. It will store credential pairs when you enter them into websites, so you will never need to manually enter them again, and it makes it easier to change your existing passwords. That way, if one of your passwords does get snagged in a data breach, the rest of your online services won’t be exposed. Most also offer a random password generator tool that you can customize. Password managers can also store things like credit card numbers and insurance information.

Set up multifactor authentication (MFA). Strong security uses something you have and something you know. That way if a criminal gets access to one of those things — say your username and password — they won’t have access to your account without the other thing.

Multifactor authentication is typically available for any sensitive account like your financial institutions or your email. It’s most commonly a unique code that’s either sent to you via text, app, phone or email. Generally, once the access is authenticated, the website can remember the device that the additional data is entered on, so you don’t have to go through this process every time you log in.

It’s a good idea to set up MFA on all your sensitive accounts, particularly at financial institutions and for your email accounts (where password reset instructions are often sent).

Add on a physical key. To make your MFA protection even stronger, you can buy a physical security key , which is a USB you can connect to your computer that will authenticate your account logins. The benefit of a physical key is that you must physically have it to get into your accounts. While nothing is foolproof, it’s tough for a cybercriminal who is used to operating behind a computer screen to get something that you have in your possession.

What is credential stuffing & how does it work?

Credential stuffing is a ‘brute force attack’ that uses bots to automatically inject combinations of usernames and passwords collected from previously breached data files until they match an existing account. Credential stuffing occurs when your company or several companies fail to protect their data.

Attacks typically comprise of three elements:

  1. Attackers build a document containing your email address and various passwords
  2. A bot uses a brute force attack using combinations of all these email addresses and passwords
  3. When a bot finds a match to an existing account, the cybercriminal now has access to your data

Why do attackers use credential stuffing?

It is the most effective type of brute force attack and more successful than attacks that guess passwords based on ‘dictionaries’ of common password and password selection errors. Credit card fraud is the most popular motive, allowing criminals to make purchases from false accounts; hence, eCommerce businesses are usually the target/victim.

Credential stuffing allows cybercriminals to:

  • Gain access to accounts
  • Sell data to other criminals
  • Commit ID theft and fraud
  • Ransom the information in the account (extortion)
  • Damage a company’s or individual’s reputation.

Is credential stuffing illegal?

Yes – It is unlawful to attempt unauthorised acquisition of personal information that compromises the security, confidentiality, or integrity of personal information. Basically, it is illegal to have this information and illegal to use it. GDPR laws state how companies and individuals collect, store and use personal data.

How common is credential stuffing?

Billions of records are being stolen, making credential stuffing one of the most common techniques used to access online accounts.

The potential consequences of attacks

For companies:

  • Unsuccessful attack
    • Traffic spikes
    • Analytic anomalies
    • Server downtime
  • Successful attack
    • Reputational damage – the company loses business and partners
    • Financial damage – up to 4% of global annual turnover, if found in violation of the EU’s General Data Protection Regulation (GDPR).

For individuals:

  • Emotional/mental
    • Feelings of being violated, fear, and anxiety.
  • Financial
    • While some cybercriminals will only take a small amount regularly in the hopes that the lost money isn’t noticed, some attackers will take a devastating amount, preventing individuals from upholding commitments, getting them into debt, and causing a bad credit rating. Some attackers make purchases from credit cards knowing that the person can request a chargeback; however, this hurts the merchant. Learn more about chargeback management here.
    • There are further additional costs when considering the time it takes to investigate and resolve cases.

How to detect credential stuffing

You can spot credential stuffing by noticing continuously failed logins. The software can help detect this with a bot detection solution that provides a user attempts suit report.

How to prevent credential stuffing:

Four steps that will help you prevent credential stuffing include:

  1. Penetration testing to prevent data breaches as a company
  2. Using strong password security and password managers to protect yourself as an individual
  3. Companies introducing multi-factor / biometric authentication as an option
  4. Training workforce members to defend against automated e-commerce bot attacks

What to do if you have been a victim of credential stuffing

Companies should introduce and follow their Business Continuity (BC) and Disaster Recovery (DC) plan. Individuals should follow the advice outlined by the company. Alert the authorities.

We all use dozens or even hundreds of different online services: email providers, software applications, streaming services, newspaper subscriptions and much more. Each of these services asks us to create a login – usually at least a username and password. Often, however, these login details are stolen in one way or another and are sold as part of large password collections by cyber criminals. Hackers then use this login data by employing methods such as credential stuffing, for example, to make a profit from the stolen data.

  1. Why is credential stuffing so important?
  2. Credential stuffing in a nutshell
  3. How credential stuffing works
  4. How you can protect yourself against credential stuffing
  5. Countermeasures that servers can take

Why is credential stuffing so important?

Hackers regularly manage to access the databases of large online services and steal the login details of many, many users. This stolen data is then put up for sale on the dark net in the form of lists. The largest and best-known list is called “Collection #1-5” and contains over 2.2 billion combinations of usernames and passwords – around 900GB of data!

So, what can you do with a list like this? At first glance, not a lot. If a service provider becomes aware of the data theft, they warn their customers and ask them to change their password.

You can check to see if your email address has been published in the dark web on the Hasso Plattner Institute’s website.

Changing your password does stop hackers from accessing the account concerned. The problem is that many users are creatures of habit. They often use the same email address and password combination for several online services. This is where credential stuffing comes into play as the hackers can then use the stolen login data to their advantage.

You can find out more about password security in our feature article on the subject. You can also read about how to maintain an overview of all your logins with password managers in our Digital Guide.

Credential stuffing in a nutshell

With credential stuffing, attackers try to use stolen login details (or “credentials”) to access a system. When doing so, they try many different credentials that they have stolen from other online services. The aim of the attack is to obtain further valuable information from the hacked account, such as credit card numbers, addresses, saved documents, contact data – in short: any other data that they may be able to use to make a profit.

According to statistics, around every thousandth login attempt is successful. In other words, an attacker has to try 1000 different sets of login details to break into a system.

How credential stuffing works

A hacker needs four things for a successful “credential stuffing” attack:

  • A list of login details
  • A list of popular online services that they want to attack (e.g., Dropbox, Adobe Cloud, Canva, etc.)
  • A technique that allows them to use a high number of different IP addresses (IP rotation)
  • A “bot” (computer program) that makes login attempts on the various online services completely automatically

With these bots, hackers can try one login after another, systematically changing the originating IP address each time so that the target server doesn’t block the login attempts, as a well-configured server will usually block an IP address if the number of failed login attempts exceeds a certain threshold.

If the login is successful, the bot can then access the valuable information that we mentioned above. The successful login details are also saved for later use – for example for phishing attacks and other similar attacks.

Credential stuffing is often significantly more efficient that the following hacking methods:

  • Brute-Force attacks require a much higher number of tries as only random password combinations are tried and not, like with credential stuffing, existing passwords.
  • Social engineering usually limits the attack to just one platform (e.g., Amazon), while credential stuffing can attack hundreds of different online services at the same time.

How you can protect yourself against credential stuffing

The most simple and secure countermeasure is to use different passwords for different logins. While it’s not exactly convenient, it’s still less of a hassle to come up with a way of remembering all your different passwords than having to change the password for all your logins individually in the event of a security leak.

Find out how to protect yourself with a secure password.

What is Credential Stuffing?

What is credential stuffing (and how to protect yourself)Credential stuffing is when a cybercriminal uses an automated script to try each credential they have against a targeted website or application. The reason this often works is a larger majority of users will use the same password for multiple accounts. Cybercriminals often will horde large amounts of usernames and passwords, then go to a password page, and have their script try every single one.

Typically, these username and passwords come from some type of the previous breach. With all of the credential dumps happening on the Dark Web, credential stuffing has become a major online threat. Hackers can use your credentials for just about everything, including spam, phishing, and even full account takeovers.

This hacking technique is on the rise and has gained in popularity with cybercriminals because it’s both simple, cost-effective, and relies on a company’s weakest security links: their employees.

What Can You Do To Protect Your Company and Data?

There are several steps you can take to protect your company from one of these types of attacks.

Use a Password Manager

In the US, the average email address is associated with 130 accounts. You have accounts that require login and passwords for just about everything in your life. One of the best ways to help yourself avoid password reuse is to use a password manager. A password manager will store all of your passwords safely so that you don’t have to remember each and every one of them. A password manager can also help you generate secure random passwords.

Set Only Strong and Unique Passwords for All of Your Accounts

While you may have heard time and time again to be sure and create a strong password, it’s important to also make sure that each account has a unique password, different from every other account. Strong passwords will:

  • Have a minimum of 12 characters. However, the longer, the better. A password with 20 or 30 characters is great.
  • Include numbers, letters, symbols, capital letters, and lower case letters in every single password. And mix it up. Don’t ALWAYS use ‘@’ in place of ‘a’ or ‘!’ in place of ‘i.’ Switch them around to make it harder to crack.
  • Don’t use dictionary words or a combination of dictionary words like ‘password’ or ‘my password.’
  • Don’t rely on obvious substitutions, either. For example, ‘[email protected],’ isn’t a strong password, simply because you substituted the ‘a’ for ‘@.’
  • Never, ever reuse the same password twice.

Don’t Store Your Passwords in Your Browser

While browsers make it easy on us and try to simplify our lives by offering to remember every password you use online, it’s important to remember that browsers sometimes get hacked, too. So, even though it may feel convenient, it still poses some security risks. Some of this risk may depend on which browser you’re using if it’s synced with other devices and if you are using extra browser security features.

One of the biggest issues you have when saving passwords to your browser is that other people may see it. Users who have access to our computer logs can see your actual password or even credit card details if you saved them. If your laptop, tablet, or smartphone is lost or stolen, the same threat applies.

There are also viruses and malware out there which target your saved information in browsers looking to steal your passwords and credit card information.

Enable Multi-Factor Authentication Wherever You Can

Two-Factor or Multi-Factor Authentication will make it more difficult for a cybercriminal to breach one of your accounts. This will add another layer of security to your authentication process, since knowing your password won’t alone be enough to pass an authentication check.

Treat Security Questions the Same as Passwords

Do you need to know your mother’s maiden name to help remember a password? Sure, that may be a helpful clue, but most people can find out your mother’s maiden name with a simple Google search. What about your high school mascot? No problem, we can look up which high school you went to on social media and then find out their mascot from their website. Your pet’s name? The color of your car? Believe it or not, much of that information can be found on the information superhighway.

Because it has become easy to find out the typical information you would use for answers to security questions, you should be treating them the same way as you do passwords. That means, make up fake answers and then store them in your password manager.

You also have to remember that security questions and answers are specifically made for talking to humans, not computers. So, you don’t have to add symbols or numbers. Instead, make your answers both wrong and uncommon. Your high school mascot? How about a chupacabra or a dung-beetle? Your mother’s maiden name? Why not Supercalifragilisticexpialidocious or Barnabymarmaduke? Get creative with it.

Limit Authentication Requests on all of Your Internal Programs

When hackers are using bots to launch a credential stuffing attack against you, they will input hundreds or even thousands of credentials in quick succession. You can limit the cybercriminals’ ability to do this by having either your internal IT team or IT partner set up a cap on the number of login attempts that can happen from an IP address within a given period.

If an actor three or five times in a row to access an account and gets the password wrong each time, the account then becomes locked, so in order for the user to access it again, they will have to reset their password and the administrator will have to unlock it. If an actor(s) from a single IP address attempts a limited number of times (5) to use invalid user ID’s then the IP address can be blocked.

Flag Unrecognized Devices

A credential stuffing attack will likely come from an unrecognized device. Your company should be using approval-based access, which only lets previously approved devices on to your network. That way if a new and unfamiliar device tries to connect, an alert allows your IT team or administrator to take appropriate steps to either verify or continue blocking a user.

Teach All of Your Employees Cybersecurity Best Practices

Not all of your cybersecurity has to do with applications and passwords. The biggest threats to your systems are your own staff not following best practices, company policies, or IT usage rules. The best way to help minimize employee security risk is through education. You should teach your employees how to spot phishing attempts, educate them about credential stuffing, shadow IT, and proper password usage.

You should hold regular training sessions, once a month or once a quarter, to update your team on the latest hacking schemes, cybersecurity threats, and how to avoid them. All of this can be coordinated with your IT team.

As long as you follow best practices and take the steps highlighted above, you will be much safer when it comes to credential stuffing attacks. For help with managed security IT security solutions, contact Custom Information Services today!

What is credential stuffing (and how to protect yourself)

what is Credential Stuffing Attack?

Credential stuffing is the use of a collection of stolen usernames and passwords to gain unrelated access of other user accounts. Billions of hackers use Credential stuffing in past few years. These credentials are used for to takeover everything accounts, passwords, usernames and so more. Credential stuffing attacks are the most common methods for cybercriminals to steal unrelated usernames and passwords.

Cybercriminals rely on human error to make their Credential stuffing attacks successful, by using the same username or password on many different sites. Research shows that about 85 percent of all users recycle their username or passwords on many different accounts.

How is Credential Stuffing carried out?

Obviously, hacker’s doe’s not stolen credentials by manually they need billions of stolen login credentials to get the success of their Credential stuffing attacks.

Cracked credentials are packed into botnets that launch the automated login attempts. One botnet can be used in thousands of login attempts in an hour. For instance, in the year of 2016 a credential attack used a botnet that sent more than 270,000 login requests on various sites in an hour.

How credential stuffing attacks are effective?

Credential stuffing is easiest and effective attacks with a great rate of return because every element of Credential stuffing can be automated. Director of digital risk solutions Angel Grant states in The Daily Swig .

“Today, there are about billions of stolen credentials present to buy in the dark web, and its means they’re being offered at very low prices”, $1-2 per account.

US threat intel estimates the success rate of credential attempts which is about 1-3%. This may be a very low value, but when you scaled it up to, say, one million username or passwords are the victim of credential attacks, cybercriminals have enough potential to enjoy a huge return on investment.

Most important thing, if malicious hackers can easily attach on one account, that’s mean, they can also attempt to attack on others accounts of the same user.

How you can detectCredential stuffing attacks?

There are many ways to detect credential stuffing attack.

  • Check abnormal attempts of login to an account.
  • Check access attempts to various accounts.
  • Finding known malicious endpoints to use the credential by their IP address or fingerprinting methods.
  • Finding automation software use in the login process.
  • Eliminate login that are based on credentials and replace these logins with others password.

How you can protect yourself from a Credential Stuffing Attack?

The best and excellent ways to protect yourself from Credential attacks are the following.

  • The simplest or easy way for most of the user’s to protect yourself is to use unique passwords or username for each website or each account. This way is best for that person who has very sensitive information such as bank account or credit card details.
  • Two factors authentication or multiple factor authentication make Credential account attack harder for hackers. These depend on second means of validation, or on requiring your password or username.
  • If you find any difficulty or confusion about remembering various passwords or usernames then you should use a reliable password manager. But be sure about its security.

Protect Your Passwords

Your password is very important for you and it is like a key to your house. It should be unique, powerful, and most important thing, you should keep it in a safe and secure place at all times.

These should be memorable. You can also try various password tools that can help you to make your password unique or memorable. Then this can be hard for hackers to attack.

Final thoughts

Credential stuffing attacks are the most useable way to take passwords, usernames or other credentials stuff. But by taking some precautions you can prevent yourself and your sensitive data. The best defense against it the use of unique passwords for each account or each site.

Hope, this article will help you to protect your sensitive data, like your bank account information. Go, now and keep your sensitive data in a secure manner.

Posted on February 5, 2019

In today’s threat briefing, I want to discuss credential stuffing.

Video sharing platform Daily Motion recently announced that they suffered a credential stuffing attack, which led to multiple accounts getting compromised. Let’s explore what credential stuffing is and how to protect yourself against it.

What is Credential Stuffing?

Credential stuffing is a type of cyber attack where hackers use usernames and passwords that they might have downloaded from other websites or the deep web. Or, maybe they bought it off the black market from one of the recent data breaches. They use those usernames and passwords to gain illegal access to other user accounts on other websites.

Data Breaches are the New Normal

Daily Motion isn’t the only company that has suffered this type of attack. High profile social news site Reddit also recently announced that they had many accounts suffer the same type of credential stuffing attack where their users were compromised. With data breaches becoming the new normal, this is a natural progression for what is to come. Enterprises and everyday people need to protect themselves.

Three Ways to Protect Against Credential Stuffing

  • The easiest way to protect yourself from credential stuffing is: don’t reuse passwords.
  • Use a password manager to help you manage your passwords. These tools help you create a unique and strong password for every website and login. They are really easy to download and use. Plus, they’re all over the place, and there are some good ones out there.
  • Enable two factor authentication for any system or site that supports it. Two-factor authentication is a method that uses multiple (two) different factors to verify and confirm a user’s claimed identity. Typically, users are asked for something they have and also for something they know. For instance, the system may ask a bank customer for their ATM card (something they have) as well as for their account pin number (something they know).

That’s all! Thanks for watching today’s threat briefing. I’ll see you next time.

Masergy Managed Security Services

Today’s threat landscape requires a rigorous approach to cyber security that goes beyond prevention to include rapid detection and response. Masergy’s Managed Security solutions offer comprehensive managed detection and response services on a global scale, tailored to meet any budget. When you need to take the workload off of your staff, Masergy can help you optimize your security resources and improve outcomes.

Trevor Parks

Trevor Parks is the director for security solutions at Masergy. He is responsible for guiding the development, evolution and implementation of Masergy’s Unified Enterprise Security services platform. Trevor contributed to the development of the patented Network Behavioral Analysis technology at the core of the Masergy’s security solutions aimed at detecting APTs and other advanced threats effecting customer networks.

What is credential stuffing (and how to protect yourself)

A user has one of their online accounts hijacked, and the first thing they ask themselves is: ‘How did the hackers get their filthy hands on my password?’. They’re angry and they want answers. When the replies are delayed, they get even more frustrated.

It’s a natural reaction, but let’s stop for a moment and think about what it is like on the other side of the fence. Put yourself in the shoes of a service provider.

You’ve read countless blog posts, articles, and research papers. You’ve seen security specialists explain what you should and shouldn’t do, and unlike many other online services, you don’t think that a statement involving the words “security” and “seriously” is a tool for calming down hordes of angry users. Your connection is secure, your authentication system salts and hashes users’ passwords and stores them securely. Your servers and all the software applications you use are monitored constantly and patched regularly. And yet, somehow, hundreds of your users got their accounts compromised, and you’ve no idea how that happened. Your users have most likely fallen victim to a credential (or password) stuffing attack.

Suffering the consequences of someone else’s security shortcomings

Credential stuffing is the name of a multi-stage attack that is becoming more and more popular. It’s made possible by the fact that far too many websites and online services don’t do enough to protect users’ sensitive data. Login credentials are stored in plain text, for example, and the databases they’re put in are exposed to the World Wide Web without any form of protection.

For even less sophisticated cybercrooks, hacking these websites is child’s play, and they try to scrape as many login credentials as possible. Leaked usernames and passwords are regularly traded on hacking forums as well, which is good news for the cybercrooks because in most cases, they use hacked databases from multiple websites to stage a single credential stuffing attack.

Trying to hijack accounts by typing all the usernames and passwords from a single IP will take years and will likely trip the lockout mechanisms on many websites. That’s why, the cybercrooks use botnets (groups of compromised computers and devices connected to the internet) and scripts that determine whether the stolen credentials work. They don’t try them on the websites from which they were stolen, though.

They try them on websites and online services where compromising an account could be much more lucrative. And because a vast number of people use the same password across multiple websites, the hackers’ attempts are often successful.

Is it fair to blame it all on the user?

Most users know that they shouldn’t do it. Many of them know that solutions like Cyclonis Password Manager will help them avoid it. Yet, they continue to use identical passwords for many accounts. You might say that they are to blame for the existence, and, more specifically, for the popularity of credential stuffing attacks.

The truth is, however, everybody has to pull their own weight. The fact that an online forum stores no payment information doesn’t mean that its owner should neglect security. In much the same way, a user shouldn’t feel comfortable knowing that the same string of letters and numbers protects both their online banking account and a forgotten profile at a social network nobody uses anymore. Everybody should be aware of the problem and should do what they can to fix it.

Let’s be realistic, though, how likely is this to happen?

Well, consider this: it’s easier than ever to create a website. In an attempt to get people to sign up, marketing departments the world over say that even your grandmother can do it. This is unlikely to change any time soon.

We realize that there are exceptions, but usually, grandmothers aren’t best qualified to design a system that’s centered around the user’s security and privacy. Unfortunately, this is unlikely to change any time soon as well. Inevitably, one day, you will end up signing up for a website that someone’s grandmother designed, and if you reuse your password, you’ll soon be in a world of trouble.

So, like it or not, as a user, the ball is in your court.