UPDATED: August 28, 2022

If you spend a lot of time online and you have accounts on different platforms, be careful. You might be at risk of becoming a victim of credential stuffing. 

Criminals use pieces of information in trying to figure out passwords to gain access to accounts. In this article, we’ll teach you what credential stuffing is so you can set up the proper security measures to help protect your accounts and information.

We’ve reviewed authoritative sources on credential stuffing to understand how it works. We also gathered the best tips for users to protect their information and minimize the impact of data breaches.

When it comes to information security, the last thing you want is to skip important steps in securing your accounts. This can translate to costly impacts down the line. Keep reading until the very end to find the most straightforward way for you to protect your online accounts. 

What is credential stuffing?

Credential stuffing is a type of cyberattack that involves the illegitimate use of stolen credentials to gain access to user accounts. 

It's a form of authentication abuse in which attackers use stolen username and password pairs to try to log in to accounts on a target site, such as email, online banking, and social media accounts.

In this type of attack, the hackers obtain a large database of stolen credentials. They do this either by hacking into company databases themselves or by buying them on the dark web.

They then use automated tools or bots to submit large numbers of log-in requests on various websites in a short period. If successful, the attackers can then exploit the account or system for malicious purposes.

For instance, if they manage to gain access to your accounts, they can steal your sensitive data and use it to spam or phish other users, post malicious links, and make unauthorized purchases. They can even launch DDoS attacks or distribute malware with your information.

Because it relies on stolen credentials, credential stuffing is often successful in bypassing traditional security measures.

How can you detect credential stuffing?

There are several ways to check if you're the victim of credential stuffing or if a hacker is attempting to credential stuff your website or account.

1. Check for unusual log-in activity

If you notice an unusually high number of failed log-in attempts to your account, either from a single IP address or from different IP addresses from unfamiliar locations or devices in a short period, someone is likely trying to hack your account using credential stuffing.

2. Look for patterns in failed log-in attempts

Since credential stuffing attacks usually involve the use of automated tools or bots, there may be patterns in the failed log-in attempts. For instance, you may see the same passwords being used over and over again, or the same usernames with different passwords.

3. Look for sudden spikes in traffic or activity

If you're a business owner or you're operating a website that normally gets 1,000 visitors per day, and suddenly you're getting 10,000, that could be an indication that hackers are using automated tools to bombard your site with log-in attempts.

4. Unusual emails or calls from strangers

If you start receiving strange or unsolicited emails or calls from strangers, it's possible that your account has been compromised and someone is trying to use your personal information for nefarious purposes.

How big is the credential stuffing threat?

Credential stuffing is a major threat to businesses and individuals alike.

In fact, according to Help Net Security, there were 193 billion credential surfing attacks worldwide in 2020. And in the financial services groups alone, credential stuffing attacks have grown by 45% over the past year.

The credential stuffing threat is growing as attackers become more sophisticated and as the number of online account breaches continues to increase. Unfortunately, for the most part, protecting against credential stuffing attacks is up to companies or businesses that maintain databases of their customers' information.

To protect themselves, organizations need to implement strong security measures, such as multi-factor authentication and password rotation. They also need to educate their employees about the dangers of using weak passwords and reusing them across multiple accounts.

Only by taking these steps can organizations hope to protect themselves from this growing threat.

Of course, on your end, there are also security measures you can put in place to keep yourself protected from these kinds of attacks. We'll talk about those more in the following sections.

Where do attackers get credentials from?

Cybercriminals and hackers have multiple sources of credentials. Some of these include:

1. Data breaches

In many cases, the stolen credentials come from data breaches. In fact, according to the 2020 Data Breach Investigations Report from Verizon, 81% of data breaches involved the use of stolen or weak passwords.

When data is breached, sensitive information such as your name, address, and password are often exposed. In some cases, attackers will also buy or trade stolen credentials on the black market.

2. Phishing campaigns

Another common source of credentials is phishing campaigns. By tricking users into entering their login information into a fake website or form, attackers can easily obtain a large number of credentials.

3. Similar login credentials for multiple accounts

Cybercriminals take advantage of the fact that many people use the same username and password for multiple online accounts. If an attacker has a list of stolen credentials from one site, they can often use those same credentials to log in to other sites.

Credential stuffing attacks vs. brute force attacks

Credential stuffing and brute force attacks are two of the most common ways that hackers gain access to accounts. However, there are some key differences between the two techniques.

Credential stuffing attacksBrute force attacks
In a credential stuffing attack, the hacker takes advantage of stolen usernames and passwords to try to log in to multiple accounts in different websites and platforms. In a brute force attack, the hacker tries to guess the password for an account without context or clues. Instead, they try many different combinations of login credentials until they successfully land on one.
Credential stuffing attacks require less work on the part of the hacker because they’re using stolen login credentials that are already more or less accurate. Brute force attacks, on the other hand, take more time and effort as they work purely on chance. They’re often successful if you’re using weak passwords and usernames. 
Because credential stuffing attacks use stolen login credentials, they’re typically more successful than brute force attacks. They’re also less likely to be noticed. Brute force attacks have a lower success rate, and can be detected more easily by systems and users. Some platforms, for example, limit the number of times you can enter wrong login credentials before you and the hacker get locked out of the account. 

Ultimately, both credential stuffing and brute force attacks can be very dangerous, so it's important to take steps to prevent them.

The impact of credential stuffing

Credential stuffing is relatively simple to carry out, but it can have devastating consequences. One of the most serious effects of credential stuffing is identity theft.

When hackers gain access to your account, they can have access to your sensitive information such as your credit card numbers and Social Security number. They can use this information to open new accounts in your name, rack up huge amounts of debt, and ruin your credit score.

Credential stuffing can also lead to financial losses. Hackers may use stolen credentials to make unauthorized charges or withdraw money from your bank accounts. In some cases, they may even transfer money out of your investment accounts.

Also, credential stuffing can have a major impact on businesses. 

In addition to financial losses, if you’re a business owner, your organization may also suffer reputational damage if customer data is breached. You may also be subject to fines and other penalties if you fail to protect customer data adequately.

How to prevent credential stuffing attacks

As we mentioned earlier, protecting against credential stuffing attacks mostly falls on businesses that maintain databases of their clients’ information. However, there are also steps you can take to make it harder for cybercriminals to gain access to your accounts. 

1. Use strong, unique, and regularly updated passwords for all of your accounts

A strong password should be at least eight characters long and include a mix of uppercase and lowercase letters, numbers, and symbols. 

A strong password, however, is simply not enough to stop a credential-stuffing attack since the hacker already has your password in hand. If you really want to minimize or eliminate the damage they can cause, make sure to use unique passwords for all of your online accounts and to update them regularly as well. 

Using unique passwords for your online accounts makes it so that if one password is compromised, your other accounts will remain safe. 

While it may be tempting to use the same password for all of your accounts, this isn’t recommended by security experts as it vastly increases the risk of your personal information being compromised.

Additionally, regularly updating your passwords for your online accounts will also help. Even if a hacker does gain access to your login credentials, there will be a higher chance that you’ve already changed it to a different one by the time they use it. 

2. Enable two-factor authentication (2FA) whenever possible

2FA is an additional layer of security that you can use to protect your online accounts. 

When 2FA is enabled, you’re required to provide two forms of identification to log in. This can include a combination of a password and a code that’s sent to your mobile phone, or a fingerprint scan and a code.

2FA adds an extra step to the login process, but it significantly increases the security of your account. Hackers who obtain your password won’t be able to access your account if you’ve enabled 2FA, as they’ll also need a second form of identification.

3. Avoid clicking on links or opening attachments from unknown senders

It's important to exercise caution when opening email attachments or clicking on links, especially if they’re from an unknown sender. Cybercriminals often use phishing techniques to trick people into clicking on malicious links or downloading malware-infected attachments.

4. Be careful about what information you share online

Hackers can use social engineering to obtain your credentials. As much as possible, don’t post or give out any sensitive information such as your address, phone number, Social Security number, date of birth, or bank account numbers unless necessary.

5. Keep your software up-to-date

Outdated software is one of the most common ways that hackers gain access to systems. 

Be sure to keep all of your software up-to-date, including your operating system, web browser, and plugins. When new versions of the software are released, they often include improved security features that make it more difficult for hackers to gain access to accounts.

6. Use a password manager to help you keep track of your passwords

When you use a password manager, you only have to remember one master password. 

The password manager will then generate and store strong passwords for all of your other accounts. This means that you don't have to use the same password for every account, which makes it much more difficult for hackers to guess your password and gain access to your accounts.

In addition, many password managers can also help you detect phishing attempts and other malicious activity.

7. Use a VPN (Virtual Private Network)

A VPN can help to prevent credential stuffing attacks by encrypting your data and making it more difficult for hackers to obtain your login credentials. It can also help to mask your IP address and make it more difficult for hackers to track your online activities.


Credential stuffing is a type of attack that can have a major impact on individuals and businesses alike. This is why you need to be vigilant about your online security and take precautions to protect your personal information.

By understanding the risks associated with credential stuffing and taking steps to mitigate those risks, we can all help protect ourselves from this increasingly common form of cyberattack.