Credential Stuffing Attacks: What Types Of Organizations Are The Most Vulnerable?

A British energy provider recently notified affected customers of a system breach that compromised account information. The breach led to the decision to shut down the firm's mobile app.

The hackers used an attack called "credential stuffing," which involves using sign-on credentials that have been stolen from other websites and running automated sign-on attempts.

According to cybersecurity experts, this is not a sophisticated attack, and can be prevented if users refrained from using the same password for multiple accounts.

The success of credential stuffing attacks is a primary reason why organizations must promptly notify customers of data breaches. The sooner users realize their password has been compromised, the less likely that password can be used to access other accounts.

Customers affected by a systems breach must be alert to future attempts of fraud and phishing attacks against them. Robert Scammell "Npower data breach: Credential stuffing attack forces app closure" (Feb. 26, 2021).


Credential stuffing is a type of system attack in which the cybercriminal uses a software program to attempt sign-ons on a massive scale using previously stolen usernames and passwords (usually purchased on the dark web).

Once the cybercriminal gets a match and can access the account, they can steal money that may be in the account; use the access to navigate deeper into the system network; or use acquired information to commit identity theft or targeted phishing attacks.

Financial and retail businesses are prime targets for credential-stuffing attacks.

Although not foolproof, two steps that will hinder the success of credential stuffing are implementing multi-factor authentication and utilizing CAPTCHA technology, which requires the user to perform an action to establish they are a human.

In addition, by “fingerprinting” or collecting information on a user’s device - the operating system, language, browser, time zone, etc. - your system can create a user identity. When the same combination of identifying data tries to log in several times in sequence, chances are high that it is a credential stuffing attack.

Finally, your opinion is important to us. Please complete the opinion survey: