English 
Русский 
简体中文 
Português do Brasil 
Français 
Español 
Türkçe 
Polski 
Tiếng Việt 
한국어 
Nederlands 
Italiano 
日本語 
Eesti 
Čeština 
മലയാളം 
Bahasa Melayu 
हिन्दी 
اردو 
Bahasa Indonesia 
Safe WebCredential stuffing is an automated cyber attack technique in which a computer program or hacker attempts to gain access to a system or service by using list of username and/or password combinations. It is a type of brute-force attack, an unauthorized theoretical attack which involves systematically attempting multiple passwords or passphrases until the correct one is discovered.
Credential stuffing relies heavily on illegally purchased or otherwise acquired lists of previously stolen credentials (typically email addresses and password). The attacker then attempts to reuse these credentials on other sites across the web, hoping they can gain access to more accounts and services. In many cases, users reuse the same combination of username/password on multiple websites, or solely rely on weak passwords.
This attack vector is possible due to the sheer number of compromised databases available on the web, often acquired via other cyber attacks such as data breaches. As a result of this, organisations with exposed credentials are particularly vulnerable to credential stuffing.
The impact of successful credential stuffing attacks can be severe, ranging from financial losses due to stolen funds from targeted accounts or fraudulent purchases, to destruction of critical sensitive data through data breach. Moreover, many accounts feature additional security settings such as two-factor authentication (2FA) or multi-factor authentication (MFA) that are not always enabled, leaving them exposed to credential stuffing.
Organisations and individuals can protect against credential stuffing by regularly changing passwords, using strong passwords with a combination of characters, using a password manager to generate random passwords, and turning on two-factor authentication (2FA) so that any attempt with the wrong password is blocked immediately while the user is sent notification to their linked device. Also, resets of passwords should be prevented from known ‘stuffed’ email addresses. Also, organisations must ensure regular security monitoring and intrusion detection systems are in place.
