Credential stuffing simplified + attack protection tips | Norton

A guide covering just what is credential stuffing, how credential stuffing attacks occur, and methods for protecting your computer’s operating systems.
Credential stuffing is a cyberattack whereby cybercriminals use stolen usernames and passwords to illegally gain access to user accounts.
And considering 52 percent of people repurpose the same login credentials across their online accounts, it’s apparent that the majority of today’s digital citizens are potentially putting themselves at risk of a credential stuffing attack.
Understanding just what is credential stuffing and how to protect yourself against credential stuffing attacks can make guarding your personal information much easier. Here, we’re breaking down how credential stuffing works, the ways it differs from brute force attacks, and pointers for credential stuffing prevention.
How credential stuffing attacks work

Unfortunately for online users, the process of performing a credential stuffing attack isn't too complex for the cybercriminals at large. The following is a breakdown of the process attackers go through to slither their way into your most sensitive information.
- The cybercriminal scours the dark web for stolen login credentials via a data breach, password dump sites, or phishing methods.
- The attacker prepares a massive list of those stolen usernames and passwords.
- A botnet is used to test the stolen credentials against multiple sites at once.
- Working credentials are used to steal private information from vulnerable users.
The real danger of credential stuffing comes when cybercriminals verify they have access to your information. Here are a few things attackers can do once they successfully acquire your data:
- Make large purchases and empty bank accounts of your assets.
- Access personal information, such as your credit card and Social Security number to steal your identity.
- Send phishing or spam messages using your account information.
- Sell your credentials to password dump sites for other criminals to use.
Credential stuffing attacks vs. brute force attacks
Many people make the mistake of believing credential stuffing and brute force attacks are interchangeable. Though credential stuffing is a type of brute force attack, the two are distinguishable enough for there to be different methods of protecting private data against them.
Brute force attacks try to guess usernames and passwords by changing the numbers and characters within them. Prescribed pattern and base passwords sift through millions of variations until one is successful. People are able to protect themselves against this type of attack by creating strong and unique passwords for accounts they make. The CAPTCHA tool is also useful for businesses trying to restrict dangerous botnet access.
Credential stuffing, however, isn't held back by a strong and unique password because these login credentials are already known to the attacker. And since people often change passwords in predictable patterns, the capabilities of the CAPTCHA tool and other protection methods only offer a limited amount of protection.
The effectiveness of credential stuffing
Credential stuffing is more prevalent today, as attacks have doubled between 2016 and 2021. Attackers train themselves to spot security gaps to acquire as much data as they can from compromised devices. Take a look at a few recent credential stuffing incidents to get an idea of the true danger of these attacks:
- Nintendo, 2020: Credential stuffing hackers gained access to Nintendo user accounts using breached data and crimeware.
- Zoom, 2020: 500,000 user credentials were breached and put up for sale using crime forums and dark web supermarkets.
- Marriott International Data Breach, 2018: A hacker acquired two employees’ credentials to expose the login credentials of over 5.2 million customers.
- Uber, 2016: The data of over 57 million customers and drivers was exposed in a credential stuffing attack.
5 credential stuffing prevention pointers

The success of credential stuffing attacks finds its root in its ability to rely on human error. People don’t take the time to create extensively unique passwords because of the other hundred they also have to remember. Though you might not be the best at creating unique and secure credentials, there are still things you can do to protect yourself from these online predators.
1. Use multi-factor authentication
Multi-factor authentication, also known as two-factor authentication, can be an effective method of protecting your personal information from credential stuffing.
The process requires users to log in with an extra form of authentication to gain access to their account. This could be a biometric fingerprint, or a one-time passcode sent to another trusted device. Since replication of these forms of identification isn't possible, attackers will have to look for another avenue to get ahold of your information.
2. Prioritize password hygiene
The first step to protecting your most sensitive data is having credentials that will act as a reliable defense. Password hygiene helps protect your most important login credential by making it unique and exceptionally hard to hack. Best practices for maintaining password hygiene include:
- Ideating robust passwords for each account
- Avoiding previous patterns
- Keeping your login information private
3. Consider a password manager
Password managers provide a central location to store all your complex login credentials. Under the protection of one master password, you can rest easier knowing you’ll likely never forget one of your passwords again.
They also go a step further by creating unique passwords that can make your information hard to guess and crack into. Some password managers also use multi-factor authentication to add another layer of security when you are trying to access your information.
4. Update operating systems
Hackers take advantage of software vulnerabilities in computer operating systems. These are weaknesses found in software programs that put your computer at risk of being affected by malware and other malicious softwares. Performing general software updates equips your computer with the latest security features that can help keep unwanted attackers at bay.
5. Install antivirus software to detect threats
Antivirus software can help protect your computer from malicious attacks. It works by scanning current and incoming emails and documents for malware and viruses that may be attached to files. Having this extra set of eyes can prevent dangerous phishing scams and viruses from destroying or stealing your data.
Yes, creating strong and unique passwords can cause a mind-numbing migraine. But would you rather wake up one morning to an empty checking account or thousands of credit card debt?
Knowing the dangers of credential stuffing and how to prevent credential stuffing attacks from the start can go a long way in protecting your precious data and identity.

Cyber threats have evolved, and so have we.
Norton 360™ with LifeLock™, all-in-one, comprehensive protection against viruses, malware, identity theft, online tracking and much, much more.
Try Norton 360 with Lifelock.
Editorial note: Our articles provide educational information for you. Our offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about Cyber Safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses. The Norton and LifeLock brands are part of Gen Digital Inc.
Want more?
Follow us for all the latest news, tips and updates.