What is credential stuffing? All you need to know!

In this quick guide we cover the basics of credential stuffing, credential stuffing attacks and how to prevent a credential stuffing attack.

Congratulations for being here: You are about to lift your online security to a completely new level! Today you'll learn everything you need to know about credential stuffing attacks. This popular cyberattack means that malicious attackers use login credentials gained from data breaches to break into other accounts. As people re-use passwords, it's very effective, but at the same time an attack you can easily protect yourself from!


Most of us have created online accounts and used the same simple password or username for a few, if not all of them. And by now, you’ve probably been told or warned to create different passwords for every online account you have, and to ensure they have uppercase, lowercase, numbers and even symbols in them. One important reason to do this, is to avoid being part of a credential stuffing attack.

What is a credential stuffing attack?

A credential stuffing attack happens when attackers steal large amounts of login credentials from a service (involved in a data breach) and use the credentials to try break into your accounts on other online platforms. In this guide we cover your questions like “what is credential stuffing” and “what is a credential stuffing attack” as well as look at ways you can protect yourself from falling victim to such an attack.

Table Of Contents:

Credential stuffing is a type of cyber attack that happens when mass amounts of user credentials, like usernames, passwords and email addresses are taken from a data breach set and then used to log into other services using automated tools. But how do hackers invade your credentials? Attackers try get lists of passwords, email addresses and usernames (credentials) from data breaches that occur and use them to attempt to log into lots of other accounts – this is one of the reasons why it’s so important to use different strong passwords for every online account you have. If you use the same weak password, like [name1234] you are at risk of falling victim to a credential stuffing attack.

According to a Digital Shadows report, there’s currently more than 15 billion stolen credentials on the internet. So due to the ease and mass availability of these credentials, along with smart credential stuffing tools which use bots to pass common log in protections, it has made credential stuffing one of the most common techniques used to gain access to users’ accounts.

How a credential stuffing attack happens

  1. Malicious attackers get passwords and usernames from a phishing attack, website breach or password dump site.
  2. These stolen credentials are tested against websites like social media sites or online banks using bots and automated tools.
  3. If the credentials are a match for another site, the attacker will have successfully gained access to another user account.

Anatomy of a credential stuffing attack.

A credential stuffing attack happens when attackers gain access to user credentials from a data breach. The attackers then attempt to gain access to user’s other accounts with the stolen data.

Recent credential stuffing attacks

Norton LifeLock - In 2023, Norton Lifelock Password Manager suffered a credential stuffing attack in which attackers used stolen credentials to gain access to user accounts. More than 925,000 people were targeted.

Zoom - In 2020, attackers tried to gain access to Zoom user accounts using previously leaked data from past breaches. Over 500,000 Zoom accounts got compromised in this attack and sold on the dark web.

Nintendo - In 2020, global gaming and entertainment company Nintendo suffered an attack where 160 000 Nintendo accounts were attacked.

Over the years there have been many scandalous data breaches from a range of multinational companies like LinkedIn in 2021, Yahoo in 2014 and 2017 (better consider deleting your Yahoo account, and Facebook in 2019 – as Facebook knows so much about you, this is particularly bad. If you want to know if your data has been leaked, you can check out Cyber News’ personal data leak check or HaveIBeenPwned.

But what can an attacker do once they’ve successfully hacked my account?

Once an attacker has your log in credentials for one account which might also work on yet another one of your accounts, there’s a range of things they can do.

• Take any stored value or credits or make purchases.

• Gain access to sensitive information like private messages, pictures, documents or even credit card numbers.

• Send spam and phishing messages from your account.

• Take your credentials and sell or trade them to other attackers.

Credential stuffing attacks are a serious cyberthreat as these pave the way for lots of other attacks how malicious actors can harm you: identity theft, targeted phishing attacks, or simply getting access to you PayPal or Amazon account and use your payment details for themselves.

Credential stuffing vs brute force attack – what’s the difference?

According to OWASP, credential stuffing is a subset of brute force attacks, although in reality credential stuffing attack is quite different from a traditional brute force attack. During a brute force attack, attackers attempt to guess passwords – without having any prior context or clues. A brute force attack uses mixed characters and numbers or common password suggestions to try gain access to accounts. This is similar – but not the same - as credential stuffing in which attackers use real stolen data from a data breach.

To protect yourself against a brute force attacks it’s suggested that you use strong passwords that are made up of characters that are upper and lower case, numbers and special characters, too. Unfortunately, your password strength doesn’t play a role in protecting you from a credential stuffing attack –the best way to prevent that is by using different passwords for every account you have.

How to protect yourself from a credential stuffing attack

The main reason for successful credential stuffing attacks is due to users having the same passwords for multiple accounts – yes, this is your cue to update your passwords! Luckily for you, we have a guide on how to create and remember strong passwords.

One of the easiest ways to update all your passwords with ones that are unique and strong would be to use a password manager that also has a password generator built in like KeePassXC. This way, all your passwords will be stored securely, and you will just need to remember the password manager log in to gain access to all your credentials. Using password managers have two sides of a coin – like the credential stuffing attack on Norton Lifelock Password Manager has shown: If the password manager has a leak or suffers a data breach, all your passwords stored in there might be at risk of falling victim to a credential stuffing attacks. That’s why it is crucial to only use a password manager that uses encryption to protect your passwords and that has its code published as open source like Bitwarden or KeePass. If you choose of our best password recommendation linked above, the likeliness that your passwords stored in there will suffer a data breach is close to zero: These apps secure your passwords with your own encryption key; thus, only you can decrypt your passwords. Even if a data breach happens, the attacker will not be able to siphon off your passwords.

The bottom line is that in order to prevent falling victim to a credential stuffing attack, you need to have different, unique, and strong passwords for every account.

Beyond these steps you can go further and request that data being stored about you be deleted from each location you find it.

Don’t fall victim to another Yahoo data breach!

If you’re a Yahoo! email user, there’s a high chance you’ve been involved in a data breach. In 2013, a massive data breach occurred where all 3 billion user accounts were impacted, and this was followed by another breach in 2014 where more than 500 million Yahoo! Mail user accounts got compromised. It’s time to ditch Yahoo! and opt for a privacy focused alternative like Tuta Mail.

If you’re wanting to delete your Yahoo! Account, here’s a step-by-step guide on how to delete your Yahoo! Account and if you’re wanting to swap to a privacy focused email provider that hasn’t been part of a data breach, we’d recommend Tuta Mail. Find out how Tuta Mail and Yahoo! Mail compare by checking our guide to Yahoo vs Tuta Mail

In today’s online world, privacy is becoming increasingly difficult and out of reach for web users. Want to create a new email account with Gmail? Or buy a shirt online? Well, you’ll need to give them a list of private information first! This isn’t how the internet should be.

Unfortunately, big tech companies like Microsoft, Google, and Meta are so power, money and data hungry that they collect your private information, track you via their apps, and sell your data to advertisers to drive profits. In return, you are ad targeted and don’t get the privacy you deserve. A big concern here is that to use these different online services you always need to hand out your private details, like your cell phone number or email address. Because of this, if one of these services is involved in a data breach, well then, it’s highly likely that your private information is not so private anymore!

We’d recommend switching to a privacy focused email provider like Tuta Mail which doesn’t ask for private information upon creating an account. With Tuta Mail you can sign up anonymously, it’s free, and your whole mailbox is end-to-end encrypted.

Tuta is an email and calendar service built in Germany, under strict EU GDPR laws. But beyond this, Tuta is fully open source, and adheres to stringent privacy and security protocols. Tuta Mail is a leader in terms of email privacy and security, if not the most secure email provider in the world.

Sign up for your free Tuta Mail account today, to enjoy the online privacy you deserve.