What is credential stuffing, and why is it dangerous to your business?

What is credential stuffing, and why is it dangerous to your business?

Using different passwords for each of your online accounts helps to prevent cybercriminals from accessing your sensitive data. However, implementing this simple cybersecurity practice may be easier said than done. Seventy-five percent of the respondents in a poll conducted by Google say they become frustrated trying to remember all of their passwords. This is why some people end up using only one password for all of their accounts. While this may be convenient, such behavior makes accounts vulnerable to credential stuffing.

What is credential stuffing?

Credential stuffing involves an attacker using a person’s login credentials — typically obtained through phishing or a large-scale data breach — to log in to the user’s other online accounts. This attack is often perpetrated to steal money, attempt corporate account takeover, or commit industrial espionage. Attackers may also sell access to the compromised accounts on the dark web.

How does credential stuffing work?

Credential stuffing starts with a hacker creating a bot that automatically logs into multiple user accounts at the same time. After acquiring a list of login credentials, the attacker uses the bot to check if the usernames and passwords work on other websites.

Once they successfully log in to a corporate account, the hacker can steal sensitive data such as employee information, email addresses, trade secrets, and intellectual property, among others. Oftentimes, they keep this data for future cyberattacks like spear phishing.

How has credential stuffing affected businesses?

These incidents show the impact of credential stuffing on businesses.


In April 2020, more than half a million accounts of the popular video conferencing app were obtained via credential stuffing and then made available on the dark web.

According to researchers from cyberthreat intelligence company IntSight, the attackers collected databases from online crime forums and dark web markets containing credentials stolen from various hacking attacks since 2013. They then tried entering these credentials into Zoom, where they were able to access various accounts. The stolen Zoom passwords were subsequently put up for sale.

Zoom, later on, verified that the accounts were legitimate. So if a malicious actor gains access to an account, they might be able to see the contents of any meetings that the account owner has either hosted or participated in. This means that the total number of parties impacted by this particular credential stuffing attack is likely much higher than the number of accounts that were sold.

What’s more, the hacker can choose to impersonate the account owner and eavesdrop on any meeting the account has access to. They can also send malware-infected files to the account’s contacts to initiate other data breaches.


In February 2021, security researcher Bob Diachenko discovered a database containing more than 100,000 account details that cybercriminals used to compromise Spotify accounts. The audio streaming company assured its users that the credential stuffing attack was not a result of any breach of their security and issued a password reset to those who were impacted.

Had Spotify failed to issue such, however, an attacker could have possibly gained access to a user’s listening history and music preferences. They could have also impersonated the user to perform fraudulent activities.

How can you protect your business from credential stuffing attacks?

Aside from requiring the use of unique and strong passwords for each of your employee’s accounts, using multifactor authentication (MFA) and data breach monitoring services are effective ways to prevent credential stuffing attacks.

MFA is an effective solution to prevent credential stuffing. It requires users to prove their identity on top of passwords by using additional factors like a one-time passcode, physical security key, or a fingerprint or facial scan. Even if a hacker manages to acquire a user’s login credentials, they won’t be able to access the account without fulfilling the MFA requirements.

Meanwhile, data breach monitoring sites like BreachAlarm and Have I Been Pwned let you check if any corporate emails have been compromised. Having cybersecurity experts monitor the web can also help you see if any business information is showing up on restricted forums.

Your business deserves the best protection against credential stuffing and other cyberattacks. Partner with Safebit Solutions for affordable yet expert IT planning, implementation, monitoring, management, and auditing solutions. To learn more about cybersecurity solutions your business needs to have, download our FREE eBook today.

Understand how common decision-making errors prevent your business from becoming more competitive and efficient. Download our free eBook today to get started!LEARN MORE HERE