Take the assessment

Credential Stuffing

What is ‘Credential Stuffing’?

In very simple terms, credential stuffing is the act of a Cyber Criminal taking leaked or stolen login details and trying them on lots of different accounts, like your email, social media, banking, credit cards etc to see if those login details are also used on other of your accounts.

Here is an analogy that many of us will relate too. I remember, growing up in the 80’s and accidently locking our car keys in the car. Thankfully, a local mechanic was available and came to our aid with a massive bunch of keys. After a few minutes of trying several keys, he found a key that opened our car and enabled us to gain access and continue our journey.

Applying that to Credential Stuffing, like the car experience, Cyber Criminals buy stolen credentials and then try them against all your accounts to see if you are using the same password. They do this at scale by using tools that can run many thousands of attempts simultaneously. For as little as $50 and with the use of a computer, cyber criminals with a very basic skill level, can gain access to your accounts using this approach.

Is this really an issue?

Cybernews recently carried out a study of over 200 data breaches between April 2024 and April 2025 and found that over 19 billion login details had been leaked and that 94% of those login credentials were reused or duplicates.

Its Estimated that on average, people have over 170 different websites and applications that they access during the course of their personal and professional lives, making having a unique password for each account near impossible.

Naturally, people are using the same password to access many of their accounts. Remembering that password or multiple passwords without writing it down or saving it somewhere, is near impossible and so people are reusing passwords and putting themselves at significant risk.

Avoiding credential stuffing is all about creating robust barriers that make it difficult for attackers to exploit your credentials.

First and foremost, use unique passwords for every account. This way, even if one password is compromised, it can’t be used to access your other accounts. A password manager can be a lifesaver here, as it generates and remembers complex passwords for you, reducing the temptation to reuse them.

Next, enabling two-factor authentication (2FA) adds an additional layer of security. With 2FA, even if someone has your password, they won’t be able to access your account without a second form of verification, like a code sent to your phone. Many online services offer 2FA as an option, and it’s worth enabling wherever possible.

Another preventative measure is to regularly monitor your accounts for any unusual activity. This includes checking your bank statements and online accounts for unfamiliar transactions or logins. Many services provide alerts for suspicious activity, so make sure these notifications are turned on.

Lastly, stay informed about data breaches. Websites like https://haveibeenpwned.com/ allow you to check if your email or password has been compromised in a known breach. If you find out that your credentials are part of a breach, change your passwords immediately.

Here’s a quick checklist for avoiding credential stuffing:

  1. Use Unique Passwords: Employ a password manager to generate and store strong passwords. Ideally make them 12-15 characters long
  2. Enable Two-Factor Authentication: Add an extra layer of security to your accounts.
  3. Monitor Account Activity: Regularly check for any suspicious transactions or logins.
  4. Stay Updated on Breaches: Use tools to see if your credentials have been compromised like ‘Have I Been Pwned’.

My Account has been compromised, what do I do first?

  1. If you have up to date Antivirus installed, run an immediate scan of your machine to identify and remove any malicious software that may have been downloaded.
  2. As soon as this has been done, go into your Microsoft or Google administration portal and force a password change. (Do not share the password with anyone, particularly over email)
  3. Then sign out of all of your Microsoft or Google accounts and wait for 15 minutes
  4. Sign back in and then enable or re-enable 2 Factor Authentication
  5. Check your logs and email rules for activity and forwarding rules and remove if you find any setup that are the result of the attack.
  6. Check to see if emails have been sent out and inform customers and suppliers of the hack, so they can update their teams about the attack
  7. If there has been a breach of personal data, inform the ICO within 72 hours of the incident.

Stay Ahead of Cyber Threats

By understanding the risks and taking proactive steps, you can significantly reduce the likelihood of credential stuffing affecting your business. If you would you like more tips on securing your online presence, follow us on social media or join our mailing list. We promise to keep our information useful and to the point and never to share your contact details with anyone.

Sources

https://www.forbes.com/sites/daveywinder/2025/05/06/new-warning—19-billion-compromised-passwords-create-hacking-arsenal

https://www.independent.co.uk/news/world/americas/password-leak-hackers-cybersecurity-b2746766.html

assess Your Level Of Risk

CHECK YOUR SCORE

DOWNLOAD OUR BROCHURE