Credential stuffing: The password-hacking method you need to avoid

A sign-in prompt on a screen, asking for a username and password.
(Image credit: Iurii Stepanov/Shutterstock)

If you need a reason — and there are many — not to reuse the same username and password for online accounts, you might start with improving your chances of avoiding  a specific, but very common, type of cybercrime: the credential stuffing attack

Credential stuffing is a form of brute-force password attack that takes advantage of people who recycle their login information — i.e., their credentials — across multiple accounts.

A 2020 report from Atlas VPN found that approximately 3.6 million credential-stuffing attacks were launched every hour. While only a small percentage were successful, the consequences are high: Credential-stuffing attacks cost $6.4 billion in damages from 2015 to 2020. 

So how does credential stuffing work, and how can you avoid it? 

Credential stuffing 101

In a credential-stuffing attack, hackers take usernames and passwords that have been leaked in data breaches and start plugging them into other websites in hopes of accessing poorly secured accounts.

This method is a brute-force attack of sorts because cybercriminals will try multiple sets of credentials on multiple accounts in what amounts to a fast-paced guessing game.

The difference from regular brute-force attacks is that the guesses aren't entirely random. Thanks to our tendency to recycle login credentials, the hackers have already acquired the usernames and passwords. They're just not sure which accounts the credentials will unlock.

One key unlocks many doors

Let's say you use the same username and password for your primary email account, your online bank account, a social-media account and an account on a shopping site.

Now let's say one of those four accounts is compromised in a data breach. The hackers now have the credentials to log into those other accounts of yours, which might contain sensitive information such as credit card numbers, bank information or private messages. 

These bad actors just have to try hard enough, for long enough, to find those other accounts.

That's where the automated tools come into play. The tools can hammer websites with thousands of login attempts per hour. They also can make malicious login requests look legitimate, which may make it hard to detect when these attacks are happening. 

While the success rate for any single credential-stuffing login attempt is estimated at between 0.1%, and 2%, your chances of falling victim aren't insignificant. If an automated tool can test 100,000 sets of credentials on a single website, then the yield could be between 100 and 2,000 accounts. You don't want your accounts to be among them.

It's not like there's any shortage of stolen credentials to work with. The website HaveIBeenPwned, which lets you check if a password or usernames has been exposed in a data breach, currently holds nearly 11.5 billion sets of compromised login credentials.

Major data breaches occur regularly and have impacted companies like Facebook, T-Mobile, Microsoft, Walgreens and many more. Breach can be vast —, everyone who had a LinkedIn account in 2012 had their login credentials stolen, and so did everyone who had a Yahoo account in 2013.

How to avoid credential stuffing

The most important action you can take right now — seriously, this minute — is to start changing your passwords. Start with any credentials that you use across multiple websites, ensuring that no passwords are repeated, especially if you rely on your email or a small handful of usernames. 

While you're at it, go ahead and do some password-hygiene work on accounts that contain sensitive personal information, starting with anything hackers could use to steal your identity or your money. That includes every banking or financial account, every website that has stored your credit-card number and every social-media site.

Any of your credentials could be compromised in a data breach, but using strong, unique passwords can help protect your accounts from being accessed via credential stuffing. 

Here are a few tips for protecting your online passwords

  • Make your passwords unique. As we've mentioned, credential stuffing works because people tend to use the same passwords over and over. Don't do this. You can also create additional usernames by setting up new email addresses for free in Gmail or Outlook.com. 
  • Make your passwords stronger. Passwords should be at least 16 characters long with a mix of upper-case and lower-case letters as well as special characters or punctuation marks. They should also be random — never use real words or names or numbers that are relevant to you (such as your birthdate). 
  • Set up multi-factor authentication (MFA), also known as two-factor authentication. This isn't about your passwords, per se, but MFA will prevent a hacker from logging into your account even if they have your credentials. MFA requires you to provide a third item, such as a one-time-use passcode or a hardware security key, if the website detects that you're trying to log in from a new device or location. You'll also be notified if someone is trying to access an account without permission. MFA is considered one of the best defenses against credential stuffing attacks. 

One reason we reuse basic passwords is because it's hard to remember many sets of complex credentials. A good password manager will store your logins and autofill them when you need them, so you don't have to memorize them or write them down on paper.

Plus, the best password managers have generators for creating strong, unique passwords. Some also have security dashboards that let you know if your info has been compromised in a data breach and which of your passwords have been reused. 

Credential stuffing doesn't have to be an inevitable outcome of spending time online. You can minimize your risk by cleaning up your usernames and passwords so that if one is compromised, the rest are not. 

TOPICS
Emily Long

Emily Long is a Utah-based freelance writer who covers consumer technology, privacy and personal finance for Tom's Guide. She has been reporting and writing for nearly 10 years, and her work has appeared in Wirecutter, Lifehacker, NBC BETTER and CN Traveler, among others. When she's not working, you can find her trail running, teaching and practicing yoga, or studying for grad school — all fueled by coffee, obviously.