Protect your personal info

Get Norton 360 with LifeLock Select to keep your passwords private and protect against identity theft.

Get it now

Protect your personal info

Get Norton 360 with LifeLock Select to keep your passwords private and protect against identity theft.

Get it now

Credential stuffing: Examples and 6 prevention tips

A business owner looks at her screen to determine if the email she received is a credential stuffing attack.

Credential stuffing attacks can lead to financial loss and identity theft. In this guide, we’ll tell you how these attacks work and share tips for preventing them with cyber safety strategies and software like Norton 360TM with LifeLockTM Select.

What is a credential stuffing attack?

Credential stuffing is an attack where criminals steal login details to access user accounts. In credential stuffing attacks, cybercriminals use stolen username and password combos to try to access people’s accounts.

Credential stuffing can be an effective attack method because many people reuse the same email addresses, usernames, and passwords across many different accounts. In fact, 80% of data breaches occur because people use weak, reused, or stolen passwords.

While you can reduce many risks by setting strong and unique passwords, there are several nuances to credential stuffing attacks. So, in this guide, we’ll break down how credential stuffing works, explain how these attacks differ from brute force attacks, and share expert-approved pointers for credential stuffing prevention. 

Here’s what we’ll cover:

What does credential stuffing look like?

Credential stuffing attacks come in many forms, but you might notice that:

  • Your bank sends authorization alerts for large, unauthorized purchases.
  • Your credit report shows that someone is opening accounts in your name.
  • Your name and likeness are popping up on other social media platforms to scam others.
  • Password dumpsites are posting your login information, or you receive a notification that you were part of a data breach.

Ultimately, you should look out for notifications from your bank, login attempt alerts, changes to your bank statements, and anything else that is out of the ordinary. 

Credential stuffing vs. brute force attacks

In credential stuffing attacks, the cybercriminal already knows your login credentials. Meanwhile, brute force attacks require the hacker to test billions of possible combos until they stumble onto the right one. 

A comparison explaining the differences between credential stuffing and brute force attacks.

Credential stuffing involves a cybercriminal stealing login credentials or exploiting data breaches to uncover active login combos. Brute force attacks involve the cybercriminal trying all possible login combinations to find one that works.

Here’s how attackers use each of these tactics. 

  • Brute force attack: During brute force attacks, hackers try millions of login variations based on common patterns and passwords until they find the right combination. The only real defense to these types of attacks is to create strong and unique passwords for all of your accounts. 
  • Credential stuffing: In credential stuffing attacks, hackers know their targets’ passwords because they have already accessed their login details through data breaches, email phishing, or keylogging. The most effective way to protect yourself in these situations is to use two-factor authentication (2FA) to keep bad actors out of your accounts, even if they do have the right credentials.

Since we’re focusing on credential stuffing attacks, let’s look closer at how they work. 

How do credential stuffing attacks work?

Most credential stuffing attacks follow the same four-step process. 

  1. The attacker steals login credentials: Hackers often scour the dark web and password dump sites for stolen login credentials obtained through a data breach or phishing methods. 
  2. The attacker creates a list of targets: Using the names and login details they obtain, hackers will create a list of usernames and passwords to test. 
  3. The attacker automates login credential testing: Most hackers will use a botnet to test the validity of stolen credentials against multiple sites at once.
  4. The attacker exploits any accounts they can access: Hackers generally steal money and information from any account they can break into.

Depending on how hackers obtain and test your login credentials and their end goals, this process may vary slightly.

How to prevent credential stuffing

Successful credential stuffing attacks rely heavily on human error. Unless you’re taking security measures to prevent unauthorized users from accessing your accounts, you’re enabling them.

That said, here are the most reliable ways to prevent credential stuffing attacks from catching you unawares.

A list of six strategies that can help prevent credential stuffing attacks.

1. Use two-factor authentication (2FA)

Two-factor authentication is an extremely effective strategy for protecting your personal information from credential stuffing. It can keep hackers from accessing your accounts even if they obtain your login credentials in a data breach.

The 2FA process requires users to authenticate their session on another device, usually with a biometric fingerprint or a one-time passcode. Since it’s virtually impossible to replicate these types of authentications, hackers will have to give up or look for other avenues to access your information.

2. Set strong and unique passwords

Strong passwords are better at preventing brute force attacks than credential stuffing attacks. However, they can help limit the damage if your information is compromised. The key is to create unique passwords on different devices and accounts.

That way, if somebody steals your login credentials for one account, hackers won’t be able to breach them all.

3. Use a password manager

Managing unique passwords for all your accounts can be difficult. That’s why so many people default to the same few passwords. However, password managers are a great solution.

They store all your passwords safely behind one master password, allowing you to auto-fill your information on any site. Many password managers also help users create unique passwords that are harder to crack and offer 2FA to enhance password security.

4. Install software updates

Keeping your device’s software up to date is one of the most important strategies for preventing credential-stuffing attacks. If you fall behind on software updates, hackers can take advantage of the vulnerabilities in your computer’s operating system and download malware such as keyloggers.

Keyloggers allow hackers to track the device owner’s keystrokes, enabling them to deduce their passwords. This is a common tactic hackers use to steal usernames and passwords. Performing general software updates ensures your devices have the latest security features and that they can keep unwanted attackers out of your accounts.

5. Install antivirus software

Antivirus software can help protect your computer from malicious attacks. It scans current and incoming emails and documents for malware and viruses that may be attached to files.

Software like Norton 360 with LifeLock Select offers even more protection by helping to block fake websites, prevent hackers from stealing passwords, and identify malware on your device. Having this extra set of eyes can help prevent dangerous phishing scams and viruses from destroying or stealing your data or even your identity. 

Examples of businesses that have been affected by credential stuffing

The first modern credential stuffing attacks occurred in 2014. Since then, many businesses and their customers have been affected by these cyber crimes. Here are a few examples:

  • Epic Games: Epic Games is the video game developer that brought us Fortnite. While the company is known for releasing engaging game updates, it fell behind on its security measures. Due to a vulnerability in the Fortnite system, hackers accessed player accounts and made purchases with their saved debit and credit cards. Because of this, players sued the company in a class-action lawsuit, and the company had to add a credential-stuffing disclosure to its site.

  • Netflix: Video streaming service Netflix experienced a credential stuffing attack in 2019. The hackers accessed the platform using credentials they stole in other data breaches. Using the passwords, they successfully accessed several Netflix user accounts and locked the owners out. To help prevent this, Netflix could consider making 2FA mandatory for all users.

  • Nintendo: Credential stuffing hackers gained access to Nintendo user accounts in 2020 using breached data and crimeware. The account takeovers impacted 160,000 gamers and resulted in substantial financial loss. In this case, users could have kept themselves safe using antivirus software that offers alerts when passwords are compromised.

  • Spotify: In 2020, hackers stole records from a logger database and exploited the login credentials to target 300,000 Spotify accounts. To protect users, the Spotify team sent out links to help users quickly reset their passwords and began a campaign to take down the malicious database.

  • Zoom: In 2020, 500,000 Zoom login credentials were stolen or collected from a database and placed for sale on crime forums and dark web supermarkets. Some passwords were given away for free, and others were sold for as little as a penny. This resulted in financial losses, operational deficits, and compliance breaches. 2FA would have also been a useful strategy for preventing this attack. 

As someone using online services, you have to trust that the businesses you shop with are putting security first and protecting your personal information. However, no business is perfect, and it’s important for you to take precautions of your own.

Secure your computer and help bock hackers

Guarding your passwords is essential for protecting yourself from account takeovers, identity theft, financial loss, and embarrassment. To help keep hackers out of your device, try Norton 360 with LifeLock Select. Powerful features like ID theft protection, a VPN, and account takeover prevention measures will help safeguard your personal information.

FAQs about credential stuffing

Still have questions about credential stuffing? Here are the answers.

How did hackers get my login information?

Hackers may exploit data breaches or password-cracking applications, use malware to steal login credentials, or guess until they find the right combination in a brute-force attack. 

How do I know if my information is compromised in a data breach?

If you suspect that somebody stole your private information, you can monitor your accounts for suspicious activity on your own or with cybersecurity software like Norton 360. Or, you can take a more active approach and look up your information on breach notification websites like “Have I been Pwned.”

What is the goal of a credential-stuffing attack?

Hackers wage credential-stuffing attacks to secure their target’s login credentials so they can access their accounts and steal data, make transactions, or commit other crimes. 

  • Brenna Cleary
  • Principal social media marketing manager; security and privacy advocate
Brenna Cleary has worked in cybersecurity for 3 yrs and digital marketing 10. She is an advocate for online safety and an expert in secure digital guidance.

Editorial note: Our articles provide educational information for you. Our offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about Cyber Safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses. The Norton and LifeLock brands are part of Gen Digital Inc. 


    Want more?

    Follow us for all the latest news, tips and updates.