Credential Stuffing Attacks: How To Protect Yourself

Credential Stuffing Attacks: How To Protect Yourself

Jan 5, 2022 | Data & Cybersecurity

credential stuffing protection

The New York Office of the Attorney General said this week that it identified and notified 17 well-known online retailers, restaurant chains, and food delivery services that have been the victims of credential stuffing attacks.

What Is Credential Stuffing?

Credential stuffing is a mode of cyberattack that involves attempts to log in to online accounts using username and passwords stolen from other online services. “It relies on the widespread practice of reusing passwords as, chances are, a password used on one website was also used on another,” describes the New York Office of The Attorney General.

Threatpost enlightens our technical understanding of credential stuffing: “Credential stuffing uses automated scripts to try high volumes of usernames and password combinations against online accounts in an effort to take them over. Once in, cybercriminals can use the compromised accounts for various purposes: As a pivot point to penetrate deeper into a victim’s machine and network; to drain accounts of sensitive information (or monetary value); and if it’s an email account, they can impersonate the victim for attacks on others.”

The Latest Credential Stuffing Episode

New York Attorney General Letitia James said her office discovered the breaches after monitoring online communities dedicated to credential stuffing. In this spate of attacks, 1.1 million user accounts were hacked and sold online.

“The OAG found thousands of posts that contained customer login credentials that attackers had tested in a credential stuffing attack and confirmed could be used to access customer accounts at websites or on apps,” James said.

The OAG worked with the compromised companies to determine how attackers circumvented existing safeguards and provided recommendations for strengthening data security programs to better secure customer accounts moving forward.

Of the 17 companies whose customer accounts were hacked, all took steps to both secure and notify the compromised accounts.

More Stuffing Statistics

The Ponemon Institute Cost of Credential Stuffing report reveals that organizations lose an average of $6 million per year to credential stuffing in the form of application downtime, lost customer, and increased IT costs.

A “large content delivery network” reported that it witnessed more than193 billion such attacks in 2020 alone.

Pause the music – well-known music streaming platform Spotify has experienced numerous credential stuffing attacks.

Combat Credential Stuffing Attacks

Like many people today, I have a neighborhood watch application which alerts me to things happening in my community. Oftentimes people will post videos of threat actors checking the locks on cars and home doors.  The manner in which you defend yourself against this activity depends on your risk tolerance.  The same is true in business.

The perimeter “door knob” testing is similar to the recent announcement by the New York Office of the Attorney General (OAG) on credential stuffing attacks against multiple organizations.  The fact is, there are billions of compromised credentials easily available on the Internet. Threat actors will constantly use these resources in an attempt to breach digital assets.

In this case, the importance of Identity and Access Management (IAM) cannot be overstated.  Organizations absolutely must enforce multiple layers of protection, especially when it comes to accessing sensitive data.

The equation to combat credential stuffing is straightforward:

  • Strong passwords are good, but passphrases are better
  • Privileged access should always be accompanied with multi-factor authentication
  • Throttle Internet facing applications to prevent brute force login attempts
  • Detection and response mechanisms must be deployed and validated regularly


These are just a few of the fundamental controls needed to protect your data.  It’s important to remember your digital asset boundary is like squeezing a balloon.  You can tighten one side, but the other side expands. The challenge is finding that middle ground.  When third parties are involved, the task becomes increasingly difficult as you must ensure they are following no less than the controls you’ve specified.

See our glossary definition of a strong password or read more about protecting passwords here.

Blog Footer Cybersecurity

Ron Bradley

Ron Bradley has been involved with Shared Assessments in some capacity for over 15 years. Notably, Bradley wrote some of the very first questions for the Standardized Information Gathering (SIG) Questionnaire. In this course of time, his hair has transitioned from an afro to his current distinguished style.

With a depth of experience building TPRM programs in financial services (Bank of America) and manufacturing (Reynolds, Trane Technologies), Ron understands how cultures and organizations drive the supply chain and third party process. As Vice President, Ron strives to use his extensive knowledge of Third Party Risk Management to help organizations build programs that realize the full potential of the Shared Assessments toolkit.

Ron’s experience in Europe, Asia and South America has allowed him to assess different vendor environments and to build Third Party Risk Management operations from the ground up across the world. Ron is an expert in risk in the manufacturing environment, Operational Technology, and Operational IoT.

Ron lives in Charlotte, North Carolina, and takes frequent trips to Scottsdale, Arizona. He loves golf, travel, and his Big Green Egg, which brings the people around Ron excessive quantities of love, joy, and happiness. Ron’s 24-year-old daughter and his famed sister Kathleen Bradley (first black game hostess!) bring him great delight.

Connect with Ron on LinkedIn or by email.

Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics