Credential Stuffing
Definition
Credential stuffing is a type of cyberattack in which stolen account credentials, typically consisting of lists of usernames and/or email addresses and the corresponding passwords, are used to gain unauthorized access to user accounts on other services. This is a type of brute-force attack.
Why It Matters
Credential stuffing is highly effective because many people reuse the same password across multiple websites. If one site is breached, attackers can use those credentials to break into the user's accounts on many other sites.
Contextual Example
Attackers obtain a list of 1 million username/password pairs from a breach of "Website A". They then use an automated tool to try every single one of those pairs on "Website B". For every user who reused their password, the attacker gains access.
Common Misunderstandings
- The primary defense for users is to never reuse passwords. Using a password manager helps create and store unique, strong passwords for every site.
- For service providers, defenses include monitoring for large-scale login attempts from single IP addresses and encouraging users to enable MFA.