Cyber Security Training & Software for Companies | MetaCompliance


Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters



Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 

Financial Services

Creating A First Line Of Defence For Financial Service Organisations


A Go-To Security Awareness Solution For Governments


A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives



From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

MetaCompliance | Cyber Security Training & Software for Employees


With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

Security Awareness Automation

Easily Automate Security Awareness Training, Phishing And Policies In Minutes


Meet the MetaCompliance Leadership Team


Stay informed about cyber awareness training topics and mitigate risk in your organisation.

What is Credential Stuffing?

What is Credential Stuffing

about the author

Share this post

Credential stuffing has been dominating the headlines in recent years and has fast become the attack method of choice used by cybercriminals.

Between January 1, 2018, and December 31, 2019, Akamai Technologies recorded more than 88 billion attacks across all industries. This figure is only expected to rise with the increase in data breaches and the massive shift to online services during the Covid-19 pandemic.

Credential stuffing attacks occur when criminals use large amounts of stolen usernames and passwords to fraudulently gain access to user accounts. This information is typically obtained on the dark web as a result of one of the many corporate data breaches.

Using large scale bots and specialist automation tools, hackers can then use these stolen credentials to attempt multiple login requests across various sites. This type of attack is relatively easy to execute and relies heavily on people reusing the same password.

It’s really a type of brute force attack, but instead of guessing random password combinations, it uses legitimate credentials, thereby improving the overall success rate.

Like most cyber attacks, the primary motivation is financial. Hackers will attempt to monetise compromised accounts by gaining access to linked bank accounts, or they will use the personal data to commit identity theft.

What’s Fuelling the Growth in Credential Stuffing Attacks?

What's fuelling growth in credential stuffing attacks

Quite simply, it’s the billions of compromised credentials that are readily available to buy on the dark web. The website tracks over 8.5 billion compromised credentials from over 400 data breaches, and some of these breaches are absolutely colossal.

The most notable example of this is the Collection #1 mega breach. The breach came to light in 2019, exposing 1.2 billion unique email addresses and password combinations, 773 million unique email addresses, and 21 million passwords.

This easy access to vast amounts of data enables hackers to test millions of different email and password combinations in the hope that users will have reused the same password.

The increasing sophistication of the tools that hackers are now using to launch these attacks has also made it easier to attempt multiple login attempts whilst appearing to originate from different IP addresses.

What Industries are Affected by Credential Stuffing Attacks?

All industries are targets for credential stuffing attacks, but some are more susceptible than others. The most heavily targeted include e-commerce, retail, financial services, entertainment, higher education and healthcare services.

The financial services industry has been hit particularly hard, and in September of this year, the FBI issued a warning to organisations in the financial sector about the spike in these attacks. The agency found that 41% of all financial sector attacks between 2017 and 2020 were due to credential stuffing, resulting in the loss of millions of dollars.

These types of attacks can have devastating consequences for businesses including; loss of revenue, operational downtime, reputational damage, financial penalties and loss of customers.

Examples of Recent Credential Stuffing Attacks

There’s been a notable increase in the number of data breaches resulting from credential attacks. Some recent examples include:

  • Dunkin Donuts – In February 2019, Dunkin Donuts confirmed that it had suffered a credential stuffing attack, the second to take place within the space of three months. In both attacks, hackers used stolen credentials that were leaked from other sites to gain access to DD Perks reward accounts. Once in, they were able to access users’ first and last names, email address, DD Perks account numbers and the DD Perks QR code. In this specific attack, it wasn’t the user’s personal information that the hackers were after, it was the account itself, which they then sold on the dark web.
  • Nintendo – In April 2020, Nintendo announced that 160,000 accounts had been breached in a credential stuffing attack. Using previously exposed user IDs and passwords, hackers were able to gain access to user accounts, enabling them to purchase digital items using stored cards. They were also able to view sensitive data including name, email address, date of birth, gender, and country.

How to Prevent Credential Stuffing

Strong Password Security

Prevent Credential Stuffing strong passwords

We all know the importance of using strong and unique passwords, yet according to a recent security survey by Google, 65% of people use the same password across multiple accounts.

This is an extremely risky practice as credential stuffing attacks rely heavily on us using the same old reused passwords. It may be something you keep meaning to get around to, but it’s worth doing a digital clean up and creating unique passwords for each of your online accounts.

A great way to create a longer and more complex password is to use a passphrase. A passphrase is a sentence like string of words that is memorable to you but difficult for anyone else to crack. The first letter of each word will form the basis of your password and letters can be substituted with numbers and symbols to make it even more secure.

Use a Password Manager

If the thought of remembering multiple passwords fills you with dread, then a password manager may be the solution. A password manager provides a centralised and encrypted location that will keep a record of all your passwords safe.

Password managers store login details for all the websites that you use and then logs you in automatically each time you return to a site. The first step when using a password manager is to create a master password. The master password will control access to your entire password database. This password is the only one you will have to remember so it’s important to make this as strong and secure as possible.

Password managers can also protect against phishing attacks as they fill in account information based on your registered web addresses. This means that if you think you’re on your bank’s website, but the password manager doesn’t automatically log you in, you may have inadvertently strayed onto a phishing site.

Implement Multi-Factor Authentication

Prevent Credential Stuffing MFA

Multi-factor authentication, otherwise known as MFA, is one of the best ways to protect the security of your online accounts. In fact, according to Microsoft, your account is more than 99.9% less likely to be compromised if you use MFA.

Rather than just confirming your identity with a simple username and password, you will have to provide two or more authenticating factors which only you can access. This reduces the chance of a hacker being able to gain easy access to your accounts.

There are lots of different authentication technologies that can be used to confirm your identity and these are usually based on; something you know, something you have, or something you are.

Some of these verification methods are undoubtedly more secure than others but essentially it means that even if someone steals or guesses your password, they won’t be able to access your account without another authenticating factor.

Monitor and Block Suspicious Login Attempts

When hackers attempt to compromise accounts via credential stuffing, they often use bots or other automated tools to input thousands of credentials in quick succession. These are usually spread across multiple IP addresses, which makes it difficult to determine if they are legitimate login attempts or signs of a coordinated attack.

However, if there are several failed login attempts over a relatively short period of time, this can be a sign that a credential stuffing attack is taking place.  To prevent this from happening, IT departments can set a limit on the number of login attempts that any single IP address can make within a certain time frame. They can also track logins that result in fraud and blacklist these IP addresses.

Cyber Security Awareness for Dummies

Other Articles on Cyber Security Awareness Training You Might Find Interesting