Credential Stuffing

What it is: A type of cyberattack where attackers take large sets of username/password pairs, typically obtained from previous data breaches, and systematically attempt to log in to numerous different online services and platforms. This automated process exploits the common user practice of reusing the same credentials across multiple websites and applications.

How it works: Attackers utilize automated tools and scripts to input the stolen credential pairs into the login forms of various websites. These tools can handle CAPTCHA challenges and other basic anti-bot measures. The success rate depends on the prevalence of password reuse among users whose credentials were compromised in the original data breach. When a valid username/password combination is found to work on a new platform, the attacker gains unauthorized access to that account. This access can then be used for various malicious purposes, such as financial fraud, data theft, or account takeover.

Example with key data: In 2019, a significant credential stuffing attack targeted the streaming service Disney+. Shortly after its launch, numerous users reported unauthorized access to their accounts. Investigations revealed that the attackers were using credentials exposed in previous data breaches on other platforms to try and log in to Disney+ accounts. While Disney+ itself wasn’t breached, the widespread password reuse by users allowed attackers to successfully compromise a significant number of accounts. Key data includes reports of tens of thousands of Disney+ accounts being compromised within a short period, highlighting the effectiveness of credential stuffing when a large pool of previously breached credentials exists and users haven’t adopted unique passwords for different services.