Credential Stuffing: Mass Attacks with Stolen Passwords

Credential stuffing is a form of cyberattack where criminals use stolen usernames and passwords from breached websites to gain access to accounts on other services. This technique exploits the practice of users reusing the same passwords across multiple accounts.

Christian Aali Bravo from ESET explains that cybercriminals automatically test stolen credentials on thousands of websites. If a password works, they gain access to a real account.

Examples of credential stuffing attacks:

• PayPal (2022): Approximately 35,000 accounts were compromised using stolen credentials.
• Snowflake (2024): Approximately 165 client companies were affected, with attackers using stolen credentials to access corporate accounts.

How to protect yourself:

• Never use the same password on multiple websites.
• Enable two-factor authentication (2FA) where available.
• Check if your credentials have been exposed in leaks using services like haveibeenpwned.com.

Protection for companies:

Companies should adopt additional security measures, such as limiting login attempts, using IP whitelists, and monitoring unusual login activity. Passwordless authentication, such as passkeys, is becoming increasingly important.

Credential stuffing remains an effective method for cybercriminals due to password reuse and inadequate security measures.

Source: OT