Glossary
Credential Stuffing
Credential stuffing is when hackers take passwords stolen from one website and try them everywhere else. If your Netflix password was stolen and you used the same password for your bank, they'll get into your bank too. Hackers use automated tools to try millions of stolen passwords across hundreds of websites in minutes.
What is Credential Stuffing?
Credential stuffing is an automated attack where hackers use lists of stolen username/password combinations from one breach to try logging into other websites. Since many people reuse passwords, these attacks are surprisingly effective.
Why Should You Care?
If your employees use the same password for personal accounts and work systems, your business is at risk every time any website gets breached. Credential stuffing attacks are responsible for billions of dollars in fraud annually. They're also why "your account was accessed from a new location" warnings exist.
Is your business exposed?
Real-World Example
An employee used the same password for their LinkedIn account and their company VPN. When LinkedIn was breached years ago, that password ended up on hacker lists. In 2024, attackers used automated tools to try those old credentials - and got into the company network. The breach cost the business 6 weeks of investigation and $200,000 in remediation.
How to Protect Against Credential Stuffing
- 1.
Use a unique password for every account (use a password manager)
- 2.
Enable 2FA on all accounts, especially email and financial
- 3.
Check if your credentials have been in known breaches
- 4.
Change any passwords that appear in breach databases
- 5.
Implement account lockouts after failed login attempts
- 6.
Monitor for impossible travel or suspicious login locations
Related Terms
Password Manager, Two Factor Authentication, Data Breach, Brute Force
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required