What is Credential Stuffing?

Credential stuffing has dominated cybersecurity headlines in recent years and has quickly become one of the most common attack methods used by cybercriminals worldwide.

A credential stuffing attack occurs when attackers use large volumes of stolen usernames and passwords to gain unauthorised access to online accounts. These credentials are typically sourced from the dark web following major data breaches affecting organisations across every sector.

Using automated bots and specialist tools, cybercriminals test stolen login details across multiple websites at scale. Because many people reuse the same password on different platforms, this attack method is highly effective and relatively easy to execute.

Credential stuffing is a form of brute force attack, but rather than guessing random password combinations, attackers rely on legitimate credentials. This significantly increases their success rate and makes the attack harder to detect.

The primary motivation behind credential stuffing attacks is financial gain. Once accounts are compromised, attackers may access linked bank accounts, resell accounts on the dark web, or exploit personal data to commit identity theft.

What’s Fuelling the Growth in Credential Stuffing Attacks?

The rapid rise in credential stuffing attacks is largely driven by the vast volume of compromised credentials available online. HaveIBeenPwned.com currently tracks over 8.5 billion exposed credentials from more than 400 data breaches, many of which involve millions of records.

One of the most significant incidents was the Collection #1 breach, which surfaced in 2019. This breach exposed 1.2 billion username and password combinations, including 773 million unique email addresses and 21 million unique passwords.

Access to such large datasets enables attackers to rapidly test millions of email and password combinations, exploiting the widespread habit of password reuse.

At the same time, increasingly sophisticated automation tools allow attackers to distribute login attempts across multiple IP addresses, making credential stuffing attacks harder to identify and block.

What Industries Are Affected by Credential Stuffing Attacks?

Credential stuffing attacks can affect any organisation with user login functionality. However, industries that store financial data or high-value personal information are particularly vulnerable.

The most commonly targeted sectors include e-commerce, retail, financial services, entertainment, higher education and healthcare.

Financial services organisations have been hit especially hard. The FBI has warned that credential stuffing accounted for 41% of financial sector cyberattacks between 2017 and 2020, resulting in losses totalling millions of dollars.

Beyond financial losses, the impact of credential stuffing can include operational disruption, regulatory penalties, reputational damage and long-term loss of customer trust.

Examples of Recent Credential Stuffing Attacks

Several high-profile organisations have suffered data breaches caused by credential stuffing attacks, including:

• Dunkin’ Donuts – In 2019, Dunkin’ Donuts confirmed multiple credential stuffing attacks targeting its DD Perks rewards programme. Attackers accessed user accounts using credentials leaked from other breaches and sold the compromised accounts on the dark web.
• Nintendo – In 2020, Nintendo disclosed that 160,000 user accounts were compromised through credential stuffing. Attackers used reused credentials to access accounts, make unauthorised purchases and view sensitive personal information.

How to Prevent Credential Stuffing Attacks

Use Strong, Unique Passwords

Despite widespread awareness, password reuse remains common. A Google security survey found that 65% of people reuse the same password across multiple accounts.

This behaviour significantly increases the risk of credential stuffing. Using strong, unique passwords for every account is essential to reducing exposure.

Creating a passphrase is an effective approach. A passphrase combines multiple memorable words and can be strengthened further by adding numbers and symbols.

Use a Password Manager

Password managers securely store and encrypt all your login credentials, allowing you to use strong, unique passwords without needing to remember them all.

Most password managers automatically fill in login details only on legitimate websites, helping to protect against phishing attacks as well as credential stuffing.

Implement Multi-Factor Authentication (MFA)

Multi-factor authentication adds an extra layer of security by requiring additional verification beyond a username and password.

Even if credentials are compromised, MFA can prevent attackers from accessing accounts without the second authentication factor.

Monitor and Block Suspicious Login Attempts

Credential stuffing attacks often generate high volumes of failed login attempts in a short period of time.

Organisations can reduce risk by implementing rate-limiting, monitoring login patterns, and blocking IP addresses associated with suspicious or fraudulent activity.

Learn More About MetaCompliance Solutions

Preventing credential stuffing requires more than technical controls alone. Building cyber-aware employees and reducing human risk are critical to protecting accounts and sensitive data from misuse.

Explore our comprehensive suite of solutions designed to protect your organisation, reduce human risk, and enhance cyber resilience. Our Human Risk Management Platform encompasses:

• Automated Security Awareness
• Advanced Phishing Simulations
• Risk Intelligence & Analytics
• Compliance Management

To see how these solutions can help mitigate credential-based attacks and strengthen your organisation’s security posture, contact us today to book a demo.