You probably heard of at least one credential stuffing attack lately, as major companies become targets of this new hacking technique. Credential stuffing is not actually new as part of hackers’ repertoire, but lately, the method started being employed more often. I’ll explain the reasons for this surge in popularity down below. Did you notice those news stories when users are reporting their accounts being hacked, but the companies hosting those accounts insist that nothing is wrong? In all of these cases when companies seem to be unaware of the data breach, the culprit is most likely a credential stuffing attack. If hackers are mimicking the users’ identities, it’s hard for the system admins to notice the attack until it’s too late.

Heimdal™ Threat Prevention Home makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Heimdal™ Threat Prevention Home anti malware and ransomware protection heimdal security
Heimdal™ Threat Prevention Home provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.


Get Threat Prevention Home
Since many of you emailed us inquiring about credential stuffing, we’ve put together this protection guide on everything you need to know about these attacks and how to better secure your sensitive data. Read below more details on this cyber attack and apply our actionable security measures that will help you avoid becoming an easy target for cybercriminals.

What Is Credential Stuffing?

In every major data breach, when hackers successfully break into the systems of a major company, they gain access to a database of user and password combinations. Some of these login credentials are then published for the entire world to see, like in the RockYou data breach of 2009, which published over 30 million records for the world to see. Other times, these sensitive data (the credentials for logging in) are obtained not by breaking into a company’s systems, but through phishing attacks. Regardless of how exactly the data is obtained, credential stuffing refers to the hacker’s attempts of taking the accounts and passwords already exposed and trying to use them in order to login onto other websites. The act of attempting to log in with such a large number of stolen credentials against other websites is best described as trying to stuff them everywhere, hence the name of this hacking technique. The attackers’ premise turns out to be correct: Internet users continue to (re)use the same passwords for multiple accounts over and over, and they don’t develop strong password hygiene. This makes it easier for malicious actors to gain unauthorized access to important accounts after cracking open a less important one (like a loyalty program for yogurt or something equally nonconsequential). In the end, like in most other hacking attacks, the attackers can steal your money or your identity. Since the last months of 2018, credential stuffing attacks made the headlines time and time again. The first months of 2019 showed no halt to the spread of these cyber threats. On one hand, the tools which hackers need for this kind of attacks have become better and cheaper to use. On the other hand, conducting other kinds of attacks has become more labor-intensive and costly for hackers.

Examples of Major Credential Stuffing Attacks

HSBC was targeted by a major credential stuffing attack towards the end of 2018, putting the financial security of its customers at risk. DailyMotion, the video hosting giant, was forced to shut down its website temporarily in January 2019, due to a massive credential stuffing attack. In February 2019, Dunkin Donuts was the target of a second credential stuffing attack in the course of only three months. The company was just starting to contain the damage from last autumn’s credential stuffing incident. They reported that attack in late November 2018, although the breach happened at the end of October. That’s how long it can take a security team to realize something is wrong when the hackers are using legitimate but stolen credentials. The beginning of 2019 brought similar attacks to other major companies, too. Reddit users found themselves locked out of their accounts while hackers were stealing their data. Deliveroo customers also found themselves paying for orders they hadn’t placed, due to hackers gaining access to their accounts via credential stuffing. Basecamp was under attack as well, seeing a dramatic spike in login attempts over the course of only a few hours. The giant advertising company Sizmek was also breached at the beginning of March 2019. A Russian hacker was selling controls to its ad campaigns via a virtual dark hat auction house. The tax information of many users was also breached on the website of software giant TurboTax. The trend of credential stuffing attacks scaling up doesn’t seem to be slowing down anytime soon. The tools for collections of breached data have become more and more powerful, and hackers more skilled to do it. A record number of hacked credentials have been published online, hosted by the MEGA cloud service. This so-called ‘Collection #1’, as the root folder of this data compilation is named, is believed by experts everywhere to be the most severe so far. Previous hacked credential lists such as the Anti Public Combo List or the Exploit.in list are modest in comparison. Out of the 773 million accounts compromised, not all of them had the same credentials anymore, which is good news. Security researcher Troy Hunt was dismayed to find some of his own personal information in the hacked data collection, but luckily with an older password which he wasn’t using anymore. Still, most of the information in the data breach is probably still valid or can be used by hackers to infer the valid data based on it. We can only assume that there are similar collections floating out there which haven’t been uploaded online for free yet.

How Does a Credential Stuffing Attack Work?

There are several popular tools used for credential stuffing attacks, and most of them can be downloaded free of charge. Sentry MBA, Vortex and Account Hitman are the best-known examples. Any would be hacker can set up one of these malware tools and start trying to breach into new accounts using old credentials. If you think two-factor authentication can protect you, I’m sorry to disappoint. Sentry MBA claims to be able to bypass Captcha challenges, as well as TFAs. Intelligence data also indicates multiple instances of attacks where two-factor authentication was circumvented by attackers. Even if enabling TFA was the go-to security advice for years, the protection it brings started to get thin. While the software to be used for credential stuffing is free, the credentials need to be downloaded for a price. Depending on how many credentials the hacker wants to use, an attempt to hack into several accounts can start for as low as $10. For the most exhaustive data package, hackers can be required to pay around $2,999. This sum is reported to give them access to over 3.8 billion credentials. Nonetheless, there’s always the free option of using the credentials disclosed in the massive data collections discussed above. As you can see, conducting a credential stuffing attack is becoming more and more simple and affordable. The more people reuse the same passwords, the more rewarding credential stuffing can get, which means that user behavior remains the main source of power for this kind of attacks.

graph on the costs and steps of a credential stuffing attack

Image source: ThreatPost.com.

Why Is Credential Stuffing on the Rise?

In a nutshell, credential stuffing is becoming more popular among hackers because the technique is pretty straightforward and simple. As security solutions increase in complexity with top features, hacking into a system with sophisticated methods has become increasingly hard. It’s much more cost-effective and easy for hackers to break into a system using basic methods, and relying on the weakest link: people. People are always one of the main security liabilities in any company or group. No matter how advanced your next-gen AV protection and detection solutions are if a user behaves in a risky manner, this creates a security gap that malicious third parties can quickly exploit. In the case of credential stuffing attacks, poor user behavior means setting the same passwords for multiple accounts, or even variate the characters only slightly. Weak passwords are one of the most common mistakes people do, according to the top security experts we interviewed for a past guide.

How to Protect Yourself from Credential Stuffing

We know that nowadays each of us manages multiple online accounts. Enjoying the benefits of digital existence to the full also means creating an account for so many portals. Besides your main email and social media accounts, you will be invited to create an account for the following type of service:

  • Various loyalty programs for the offline stores you shop from;
  • Online retail shops;
  • Online entertainment providers (think Netflix)
  • Data storage or compression tools;
  • Public institutions prompting you to log in before you can view reports;
  • Many online tools which require registration before you can use them.

If you think about, you probably have more accounts created and rarely visited than you thought initially. Studies show that the average home user has around 120 online accounts associated with the same email address, while the average business user handles around 191 accounts on average. Obviously, no one can remember so many different passwords by heart, in the way we should if our accounts are to be as secure as possible. According to a survey conducted by BuzzStream, many of us would give up pizza for the sake of having to go through fewer logins. We all know the feeling, right? Well, the good news is that you don’t actually have to remember so many passwords in order to be safe from credential stuffing and other malware attacks. Here’s what can you do to better protect yourself (and your important information) from these cyber attacks:

1. Use a strong password manager

Credential stuffing attacks rely on your previously inevitable need to set the same password or similar passwords for multiple accounts. But since password managers have been around, you don’t actually need to know so many different passwords by heart. Just pick a good option, there are plenty of reputable and even free password managers to choose from. If you want to be extra cautious, there’s also the alternative of keeping your passwords stored in two separate password managers tools. That way, if something happens with one of the solutions you were using, you have a plan B.

2. Set only strong and unique passwords for your online accounts

Resist the urge to use your go-to password, or one which holds personal significance to you. Users are many times tempted to use a so-called keepsake password, as highlighted by Prof. Ian Urbina’s research. As much as I’m swooning for this beautiful display of humanity, as a fellow anthropologist, I have to advise you to refrain from it for cybersecurity purposes. If you care about your online security, make sure you set only strong and unique passwords that will be difficult for cybercriminals to break. Also, remember not to use default passwords, because they’re the first ones attackers will try to unlock your accounts and devices with.

3. Go through your accounts and reset all passwords

Periodically resetting your passwords is an essential part of any cybersecurity hygiene checklist. Many high-profile companies have an internal security policy making it mandatory for employees to change their passwords every 6 months. They’re also required not to use their work passwords in their personal accounts as well, but unfortunately, some of them break this rule. That’s what makes credential stuffing attacks remain a viable hacking technique. Reset all passwords in a periodic digital clean-up. Make sure you use a different one for each account, just in case the server gets hacked. Since you’ll be using a password manager and you only need to remember one master password, just go ahead and use the random password generator for each account. This way, you can be sure you have a strong password.

4. Enable two-factor or multi-factor authentication where you can

The two-factor authentication system may not be 100% secure, but it will make it more difficult for cybercriminals to breach your digital accounts. Hackers have already come up with creative means to circumvent it. But this doesn’t mean you shouldn’t add it whenever possible since multiple layers of security are still better than less. Multi-factor authentication is always better, so opt for it when you can to enhance security.

5. Make sure your threat prevention and detection are also flawless

We don’t need to stress how important is to have multiple layers of security on all your devices which connect to the Internet. You need both an antivirus solution and a shield on top of it, like our Heimdal™ Next-Gen Antivirus & MDM​ and Heimdal™ Threat Prevention products. Find them both in the Endpoint Security Software package, the all-in-one and complete online solution for home uses. We urge our users to always keep their apps and programs up to date, because these updates include both security and feature patches, and will improve the software programs used. An automatic software updater (like our Heimdal Free) is also highly recommendable to improve your security.

6. Don’t connect to public Wi-Fi networks and be cautious

Public Wi-fi networks are one of the biggest security risks for your system. If you use them to login onto any account, you can be almost sure your credentials will wind up on a data collection sooner or later. If you absolutely need to connect to one, always use a VPN solution and reroute your traffic through it. I got in touch with other cybersecurity experts and they all concur about these basic steps for protection. Here’s how Sergiu Gatlan from Bleeping Computer summarized it: “The most important measure users can take to protect themselves against credential stuffing attacks is to turn on two-factor authentication (2FA) or multi-factor authentication (MFA) on all services that support it. Making sure that they never use the same password on more than one online service is another important action to take if they want to prevent malicious actors from being able to use stolen credentials in future attacks. Subscribing to notification services such as Troy Hunt’s haveibeenpwned.com to be informed when one of their accounts is part of a security breach could also help by allowing them to quickly change compromised passwords as a precaution.” To go the extra mile and make sure your password is secure, read our password security guide and learn how to manage your passwords like a pro. Still, as long as you follow the steps we highlighted above, you’ll be safer from credential stuffing attacks than you ever were. We’ll keep you updated on the state of ongoing attacks, so feel free to email us for any questions or concerns you might have. We’re here to help.


Great blog post- one other way is to screen for compromised credentials upon login. If the credentials are found to be compromised, organizations can force a password reset or allow access while hiding sensitive information or adding step-up authentication.

Miriam Cihodariu on May 13, 2019 at 3:19 pm

Thanks Kristen! Yes, this is a good idea. Most organizations are prompting their users to reset their passwords every 6 months, but not really enforcing it. Furthermore, lots of users choose a new password very similar to the old one, if they do bother resetting it.

An extra security I use is that everyone who I allow to mail me gets an unique mailadres
For you it is prheim@…. Nearly all wrong mails I can detect by readng the subject and compare te headers.

Leave a Reply

Your email address will not be published. Required fields are marked *