What you need to know about “credential stuffing”

Credential stuffing is a cyberattack that exploits stolen login credentials. Online accounts with PayPal, NortonLifeLock, 23andMe, and Roku are just some of the companies that have reported recent attacks on customer accounts. Here’s how it works:

  1. Data Breaches: Attackers obtain large databases of usernames and passwords through data breaches on various websites or services.
  2. Automated Login Attempts: They use these stolen credentials in automated programs to attempt logging in to other unrelated websites or services.
  3. Preying on Reuse: The attackers rely on the fact that many people reuse the same login credentials (username and password) across multiple accounts.

Imagine a thief who finds a box of keys stolen from various houses. They try these keys on different houses in the neighborhood, hoping some will unlock doors – that’s similar to credential stuffing.

Why it works:

  • People reuse passwords: As mentioned, credential stuffing works because many people use the same login information on multiple sites.
  • Large-scale attacks: Attackers can attempt logins on thousands of accounts very quickly using automated tools.

How to protect yourself:

  • Unique passwords: Use strong and unique passwords for every single online account you have. Password managers can be helpful for creating and storing strong passwords.
  • Multi-factor authentication (MFA): Enable MFA whenever available. This adds an extra layer of security by requiring a second verification step beyond just your username and password.
  • Beware of phishing attacks: Phishing attacks can trick you into revealing your login credentials on fake websites. Be cautious of suspicious emails or messages.