Credential Stuffing – Are Your Business Accounts Secure?

Using a password to protect your accounts might be worthless. That is, if you use the same one for ever site or service. Regardless of the strength or complexity, using just one password creates a skeleton key for your entire digital life. And leaves you vulnerable to what is known as a credential stuffing attack.

Credential stuffing is a cyberattack technique that uses lists of compromised usernames and passwords to gain access to different accounts. Cybercriminals combine automated tools with readily available databases to gain unauthorized access into your systems.


How it Works:

When an organization suffers a data breach, the valuable cache of usernames and passwords are placed into a database. These databases can quickly become accessible to anyone if they know where to look. Recently, a collection of 2.2 billion unique username and password combination became available to download. For free. Using these billions of credentials, threat actors now have the ammunition needed to launch a credential stuffing attack. And if one of your employees is in that list, their business account could be at risk.

Once the criminals have a list of passwords, they use an automated tool that “stuffs” the information into login pages of the web service of their choosing. They could be trying to get into an Amazon account. Or maybe they are targeting business services like Office 365. This automated process will bombard the login page with combination after combination until they find one that provides them access. And just like that, one of your accounts could be compromised.


Why it matters:

The reason that credential stuffing is worrisome for business owners is because a breach can be somewhat out of their control. Without the proper safeguards in place, an employee can signup for a Netfilx trial using their business email account. If that employee isn’t security conscious, they might use the same password that protects their email account. Then, when Netflix is breached, that employee’s business password is now public knowledge. Essentially opening the door for a successful cyberattack.


How to Defend:

Unique passwords – The simplest way to defend against credential stuffing is to use unique passwords for all accounts. We know that this can be a pain, but it is the best method. And it is free. Plus, that is what password managers are for. Check out LastPass or Dashlane to keep all of you passwords in order.

MFA – Multifactor Authentication is another simple, often free, method of preventing unauthorized access. Even if you password does leak, MFA will keep threat actors out of your accounts.

Breach Monitoring – There are services that will actively monitor for data breaches associated with your business accounts. These tools can alert you whenever one of your accounts is found in a breach. Giving you a head start or changing passwords and mitigating damage.


As long as data leaks and phishing attacks continue, credential stuffing will follow. This attack style is not going anywhere anytime soon. We encourage you to share this article with your employees and enforce good password practices. Ready to start securing your business? Reach out today!

Get Award-Winning IT Support Today



Get Access to Resources to Help You Thrive

Download Now