While we use passwords to secure accounts, compromised credentials are used to fill credentials or take over accounts. But credential stuffing has made headlines in recent months, perhaps in part because it has become easier for hackers to carry out such an attack.
See the 23andMe breach It affects about 7 million users. Although each account was hijacked through credential stuffing, the hackers first learned how to log in and then used a social feature called DNA Relatives to continue. Hackers can access sensitive information such as full names and locations, particularly targeting groups such as the Ashkenazi people. offers information for sale online in bulk.
Hacking conjures up images of sophisticated, high-tech hacking, but what makes credential stuffing so lucrative is its surprisingly “relatively unsophisticated nature,” Rob Shavell, CEO of online personal data deletion service DeleteMe, told Engadget. Hackers will use educated guesses to find your password or just retrieve old passwords from online leaks to see if it works for different accounts. Tactics used by hackers include using personal information found online to find passwords or asking generative artificial intelligence software to suggest variations on a password that can be used to log into an account.
Companies often fail to protect your information and place the burden on you to prevent filling out credentials to the best of your ability. In fact, credential stuffing is so common that you’ve probably already been a victim. According to the security company, about a quarter of all login attempts last year met the credential padding criteria. Octa’s 2023 Secure Identity Report surveyed more than 800 IT and security decision makers across industries. Analysis of Verizon’s data breaches in 2023 found that nearly half of the breaches involved stolen credentials. Email address verification on sites like I have been Pwned can show you which passwords can be stolen, meaning if you’ve reused it on another account, it may only be a matter of time before hackers try to use it to gain access.
Credential padding works because we stick to certain patterns when creating passwords, such as using your mother’s maiden name or childhood address, with minor changes to make them easier to remember. “Because we’re lazy and now we have 50 passwords, the default is to just pick one password and use it in multiple places,” said Steve Winterfeld, chief information security officer at cloud company Akamai. “The problem is that you’re not taking appropriate risk measures.”
This level of risk varies greatly. The one-time account you used to try out World of Warcraft years ago that doesn’t have any personal or financial information attached to it doesn’t belong to you. But hackers are betting that you’re reusing your email, username and password for a more lucrative account like your bank or social media, and they’ll use credential stuffing to log in. “I have a username and password that I use for this work. If they compromise, I’m fine … it won’t affect the finances or the brand,” Winterfeld said.
Minimizing the risks you take online by using strong passwords will make it more manageable to start protecting yourself from credential stuffing. Changing or changing passwords frequently go to the toggle switches, can also help. There are other ways to protect yourself, as companies have made it clear that they will do anything to avoid responsibility for protecting your data.
First, understand that once a credential is compromised, it can be used to gain access to other accounts, said Frank Teruel, CFO of anti-bot firm Arkose Labs. So change passwords for any accounts you repeat, especially high-profile targets associated with financial or other sensitive institutions. Here a password manager useful because some will even flag a broken password if it’s detected and offer to change it to a stronger option.
Taking a moment to clean up accounts you no longer use will greatly reduce the number of password leaks to worry about, Teruel said. In the meantime, make it a habit not to reuse passwords or small changes to them, and to change passwords frequently to limit risk.