article featured image


Credential stuffing is a form of cyberattack where hackers are taking over massive databases of usernames and passwords, many of which are stolen in recent data breaches, and use an automated method to “stuff” the account logins into other online services.

The fraudster exploits access to consumer accounts to make fraudulent transactions, perform phishing assaults, and steal information, money, or both in a credential stuffing attack. Credential stuffing is particularly hazardous for those who use the same login and password for multiple accounts, giving a hacker access to all of them with only a single swipe.

How Do Credential Stuffing Attacks Work?

There are several popular tools used for credential stuffing attacks, and most of them can be downloaded free of charge.

Sentry MBA, Vortex, and Account Hitman are the best-known examples.

Any would-be hacker can set up one of these malware tools and start trying to breach into new accounts using old credentials. If you think two-factor authentication can protect you, I’m sorry to disappoint.

Sentry MBA claims to be able to bypass Captcha challenges, as well as TFAs. Intelligence data also indicates multiple instances of attacks where two-factor authentication was circumvented by attackers. Even if enabling TFA was the go-to security advice for years, the protection it brings started to get thin. While the software to be used for credential stuffing is free, the credentials need to be downloaded for a price. Depending on how many credentials the hacker wants to use, an attempt to hack into several accounts can start for as low as $10. For the most exhaustive data package, hackers can be required to pay around $2,999. This sum is reported to give them access to over 3.8 billion credentials. Nonetheless, there’s always the free option of using the credentials disclosed in the massive data collections discussed above. As you can see, conducting a credential stuffing attack is becoming more and more simple and affordable. The more people reuse the same passwords, the more rewarding credential stuffing can get; this means user behavior is still the main source of power for this kind of attack.

Credential Stuffing and Brute Force Attacks

Credential stuffing is classified as a subcategory of brute force attacks, therefore is not the same as typical brute force assaults.

Brute force attacks utilize random characters, often paired with common password suggestions, to obtain passwords with little to no context or hints. Credential stuffing takes advantage of publicly available data to substantially reduce the number of possible valid responses.

A strong password, consisting of multiple characters and including capital letters, digits, and special characters, is an effective barrier against brute force assaults. Unfortunately, credential stuffing is not protected by password strength, as credential stuffing may compromise any password, no matter how secure it is, if it is shared across several accounts.

How to Protect Yourself from Credential Stuffing

We know that nowadays each of us manages multiple online accounts. Enjoying the benefits of digital existence to the full also means creating an account for so many portals. Besides your main email and social media accounts, you will be invited to create an account for the following type of service:

  • Various loyalty programs for the offline stores you shop from;
  • Online retail shops;
  • Online entertainment providers (think Netflix);
  • Data storage or compression tools;
  • Public institutions prompting you to log in before you can view reports;
  • Many online tools require registration before you can use them.

If you think about it, you probably have more accounts created and rarely visited than you thought initially. Studies show that the average home user has around 120 online accounts associated with the same email address, while the average business user handles around 191 accounts typically. Obviously, no one can remember so many different passwords by heart, in the way we should if our accounts are to be as secure as possible. According to a survey conducted by BuzzStream, many of us would give up pizza for the sake of having to go through fewer logins. We all know the feeling, right? Well, the good news is that you don’t actually have to remember so many passwords in order to be safe from credential stuffing and other malware attacks. Here’s what can you do to better protect yourself (and your important information) from these cyber-attacks:


Credential stuffing attacks rely on your previously inevitable need to set the same password or similar passwords for multiple accounts. But since password managers have been around, you don’t actually need to know so many different passwords by heart. Just pick a good option, there are plenty of reputable and even free password managers to choose from. If you want to be extra cautious, there’s also the alternative of keeping your passwords stored in two separate password managers tools. That way, if something happens with one of the solutions you were using, you have a plan B.


Resist the urge to use your go-to password, or one which holds personal significance to you. Users are many times tempted to use a so-called keepsake password, as highlighted by Prof. Ian Urbina’s research. As much as I’m swooning for this beautiful display of humanity, as a fellow anthropologist, I have to advise you to refrain from it for cybersecurity purposes. If you care about your online security, make sure you set only strong and unique passwords that will be difficult for cybercriminals to break. Also, remember not to use default passwords, because they’re the first ones attackers will try to unlock your accounts and devices with.


Periodically resetting your passwords is an essential part of any cybersecurity hygiene checklist. Many high-profile companies have an internal security policy making it mandatory for employees to change their passwords every 6 months. They’re also required not to use their work passwords in their personal accounts as well, but unfortunately, some of them break this rule. That’s what makes credential stuffing attacks remain a viable hacking technique. Reset all passwords in a periodic digital clean-up. Make sure you use a different one for each account, just in case the server gets hacked. Since you’ll be using a password manager and you only need to remember one master password, just go ahead and use the random password generator for each account. This way, you can be sure you have a strong password.


The two-factor authentication system may not be 100% secure, but it will make it more difficult for cybercriminals to breach your digital accounts. Hackers have already come up with creative means to circumvent it. But this doesn’t mean you shouldn’t add it whenever possible since multiple layers of security are still better than less. Multi-factor authentication is always better, so opt for it when you can to enhance security.


We don’t need to stress how important is to have multiple layers of security on all your devices which connect to the Internet. You need both an antivirus solution and a shield on top of it, like our Heimdal™ Next-Gen Antivirus & MDM​ and Heimdal™ Threat Prevention products. Find them both in the Endpoint Security Software package, the all-in-one and complete online solution for home users. We urge our users to always keep their apps and programs up to date, because these updates include both security and feature patches, and will improve the software programs used. An automatic software updater (like our Heimdal Free) is also highly recommendable to improve your security.


Public Wi-fi networks are one of the biggest security risks for your system. If you use them to login onto any account, you can be almost sure your credentials will wind up on a data collection sooner or later. If you absolutely need to connect to one, always use a VPN solution and reroute your traffic through it.

To go the extra mile and make sure your password is secure, read our password security guide and learn how to manage your passwords like a pro. Still, as long as you follow the steps we highlighted above, you’ll be safer from credential stuffing attacks than you ever were.

Examples of Major Credential Stuffing Attacks

Spotify was the target of a massive credential stuffing assault in 2020, in which attackers attempted to obtain access to Spotify accounts by utilizing a database of 380 million records including login credentials and personal information gathered from multiple sources.

The 300 million records were most likely obtained through data breaches or massive “collections” of credentials that are frequently given for free by threat actors.

Another significant attack was launched on The North Face, a well-known outdoor retailer. Following a successful credential stuffing assault in October of 2020, the firm had to reset the passwords of an undetermined number of clients.

Customers’ names, birthdays, phone numbers, billing, and shipping addresses, purchased or favorited goods, and email preferences are all examples of potentially affected information that may have been accessed through hacked accounts.

The business immediately took security measures to reduce the account login rate from suspect sources or displaying a suspicious pattern after identifying the attack after seeing suspicious behavior involving the thenorthface.com website.

RIPE NCC, a not-for-profit regional Internet registrar covering Europe, the Middle East, and portions of Central Asia, was also a victim of this sort of assault in the year 2021.

A credential stuffing attack was launched against the company’s single sign-on (SSO) service. All RIPE sites, including My LIR, Resources, RIPE Database, RIPE Labs, RIPEstat, RIPE Atlas, and the RIPE Meeting websites, utilize this SSO service to log in.

Other well-known businesses have been the victims of large credential stuffing assaults in recent years.

HSBC was targeted by a major credential stuffing attack towards the end of 2018, putting the financial security of its customers at risk. DailyMotion, the video hosting giant, was forced to shut down its website temporarily in January 2019, due to a massive credential stuffing attack. In February 2019, Dunkin Donuts was the target of a second credential stuffing attack in the course of only three months.

The company was just starting to contain the damage from last autumn’s credential stuffing incident. They reported that attack in late November 2018, although the breach happened at the end of October. That’s how long it can take a security team to realize something is wrong when the hackers are using legitimate but stolen credentials.

The beginning of 2019 brought similar attacks to other major companies, too. Reddit users found themselves locked out of their accounts while hackers were stealing their data. Deliveroo customers also found themselves paying for orders they hadn’t placed, due to hackers gaining access to their accounts via credential stuffing. Basecamp was under attack as well, seeing a dramatic spike in login attempts over the course of only a few hours.

The giant advertising company Sizmek was also breached at the beginning of March 2019. A Russian hacker was selling controls to its ad campaigns via a virtual dark hat auction house. The tax information of many users was also breached on the website of software giant TurboTax.

The trend of credential stuffing attacks scaling up doesn’t seem to be slowing down anytime soon. The tools for collections of breached data have become more and more powerful, and hackers are more skilled to do it. A record number of hacked credentials have been published online, hosted by the MEGA cloud service. This so-called ‘Collection #1’, as the root folder of this data compilation is named, is believed by experts everywhere to be the most severe so far.

Previous hacked credential lists such as the Anti Public Combo List or the Exploit.in list are modest in comparison. Out of the 773 million accounts compromised, not all of them had the same credentials anymore, which is good news.

Security researcher Troy Hunt was dismayed to find some of his own personal information in the hacked data collection, but luckily with an older password which he wasn’t using anymore. Still, most of the information in the data breach is probably still valid or can be used by hackers to infer valid data based on it.

We can only assume that there are similar collections floating out there which haven’t been uploaded online for free yet.

Wrapping Up

With the right knowledge and proper practices, as well as a reliable suite of solutions, staying safe from credential stuffing will come easy.

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® DNS Security Solution

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your endpoints.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

As always, Heimdal™ Security can help you with the latter.

If you want to know more about which of our company products are best suited for your needs, don’t hesitate to contact us at sales.inquiries@heimdalsecurity.com or book a demo.


Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.


Great blog post- one other way is to screen for compromised credentials upon login. If the credentials are found to be compromised, organizations can force a password reset or allow access while hiding sensitive information or adding step-up authentication.

Miriam Cihodariu on May 13, 2019 at 3:19 pm

Thanks Kristen! Yes, this is a good idea. Most organizations are prompting their users to reset their passwords every 6 months, but not really enforcing it. Furthermore, lots of users choose a new password very similar to the old one, if they do bother resetting it.

Jan A. van de Hoef on April 9, 2019 at 7:53 pm

An extra security I use is that everyone who I allow to mail me gets an unique mailadres
For you it is prheim@…. Nearly all wrong mails I can detect by readng the subject and compare te headers.

Leave a Reply

Your email address will not be published. Required fields are marked *