Credential stuffing, or using compromised login information to take over accounts, has been around as long as we’ve used passwords to secure our accounts. But, perhaps in part because it’s gotten easier for hackers to perform this type of attack, credential stuffing made headlines in recent months.
Look at the 23andMe breach affecting nearly 7 million users. While not every account was compromised via credential stuffing, it was how the hackers initially got in, and then they used a social feature called DNA Relatives to keep going. Hackers gained access to sensitive information like full names and locations, specifically targeting groups like Ashkenazi people, offering the data for sale in bulk online.
Hacking conjures an image of sophisticated, high tech break-ins, but what makes credential stuffing so lucrative is that it’s surprisingly “pretty unsophisticated,” Rob Shavell, CEO of online personal information removal service DeleteMe, told Engadget. Hackers will use educated guesses to figure out your password, or just buy old passwords from leaks online to see if they work for different accounts. Tactics used by hackers include using personal information found online to guess passwords or asking a generative AI program to come up with usable variations on a password to get into an account.
Companies frequently fail to protect your data, sticking you with the burden of preventing credential stuffing accounts to the best of your ability. In fact, credential stuffing has become so prevalent, that you’ve likely already fallen victim. Nearly a quarter of all login attempts last year met the criteria for credential stuffing, according to security company Okta’s 2023 State of Secure Identity Report that surveyed more than 800 IT and security decision-makers across fields. Verizon’s 2023 analysis of data breaches found that about half of breaches involved stolen credentials. Checking an email address on sites like Have I Been Pwned can show you which passwords may have been compromised, meaning if you’ve reused it on another account, it could be a matter of time until hackers try to use it to get in.
Credential stuffing works because we tend to stick to certain patterns when creating passwords, like using your mother’s maiden name or a childhood address, with small variations to make them easier to remember. “Because we’re lazy, and because we have 50 passwords now, it is the default to just pick one password and use it many places,” chief information security officer at cloud company Akamai Steve Winterfeld said. “The problem is you then are not taking appropriate risk measures.”
That level of risk varies widely. The one-off account you used to try out World of Warcraft years ago and doesn’t have any personal or financial information attached to it probably doesn’t concern you. But hackers are betting you’ve reused an email, username and password for a more lucrative account, like your bank or social media, and they will use credential stuffing to get in. “I have one username and password that I use for things that I’m okay if they’re compromised … that would not financially or brand impact me,” Winterfeld said.
Minimizing the risks you’re taking online by using strong passwords will make it a lot more manageable to start protecting yourself against credential stuffing. Changing passwords frequently, or making the switch to passkeys, can also help. There are other ways you can protect yourself, too, as companies have made it clear that they’ll do anything in their power to shirk responsibility for protecting your information.
First, understand that once a credential is leaked, it can be used to gain access to other accounts, Frank Teruel, CFO at bot prevention firm Arkose Labs, said. So, change passwords for any accounts where you may have repeated it, especially high-profile targets linked to financial or other sensitive institutions. This is where a password manager comes in handy, because some will even flag if a password has been found in a breach and suggest that you change it to a stronger option.
Taking some time to purge accounts you no longer use will greatly reduce the number of password leaks to worry about, too, Teruel said. In the meantime, make it a habit not to reuse passwords or small variations on them, and to change passwords frequently to limit risk.