What is credential stuffing?

We’re answering the question, “What is credential stuffing?”

Your credentials are your username and password, like jsmith and password123.

Credential stuffing is an attack using your name and passwords — along with a lot of other people’s names and passwords — to try to break in to accounts.

Watch here:

How it Works

The bad guys heist a load of usernames and password from a site or database, or maybe buy it on the dark web.

Then they use their automated bot army to “stuff” login pages with your data, thus the name “credential stuffing.”

Since many people use the same password on multiple accounts, the crooks eventually get through.

For example, if you used your email as a user name and the password “Iloveyou” on one account, they’ll use automation to try that password on your other accounts.

You probably used it on another account as well.

If they get a match, they raid your account for money or rewards points or your personal info.

Or, they may sell your “ripe” username and password for money on the dark web, so someone else can use your account for crime.

Mass Attack

They can attack thousands of accounts at the same time.

A new report from security company Akamai says just one bot alone can hit more than a hundred sites at once.

Attackers tried this siege more than ten billion times in 2018.

Another report says four out of five logins on many sites, like travel sites, are fakes — the bad guys’ bots stuffing in your passwords to try to get a match.


Dunkin Donuts drink & donut. The company was hit with a credential stuffing attack.Reports say attackers hit Dunkin’ Donuts rewards points members with credential stuffing. Image: StockSnap


If you have an account on Reddit, Turbo Tax, Nest or Dunkin’ Donuts, you may already be a victim of credential stuffing.

Reports say these companies fell victim to these attacks just in the past six months.

Many other companies are constantly under attack from credential stuffers.


The solution?

—Don’t re-use passwords.

—Come up with a different one for each account.

—Store them in a password manager if needed to help you remember.

—Use two-factor authentication.


See more from Archer News:

What is a DDoS?

What is a password manager?

What is 2-factor authentication?



Main image: Stuffed animals at a carnival. Image: Paul Brennan

Leave a Reply