Get in Touch
Back to main blog page

What is credential stuffing and why should you care?

25th November 2019 | posted by David Acland

Credential stuffing, is a simple but effective technique to take over more of your online accounts using a known set of credentials.

It’s scarily simple.  The attacker takes one of your username and password combinations that has been leaked online, and tries them against a long list of other websites.  If a match is found, they add them to the list of working credentials, ready to be sold on, or used for malicious purposes.

But how do you know my username and password?

Have you ever signed up for an online service? Maybe a few forums? It’s becoming well known that companies can be extremely valuable if they can build a database of thousands, or even millions of user accounts.  The more details they can record against these accounts, the better.

So everyone is at it! It’s rare to visit a website that doesn’t offer some kind of “login or create an account” option, offering all kinds of benefits behind a curtain.

If nothing else, our FOMO gets us to sign up on some sites!

The issue, is that these sites are getting breached all the time! Their databases of usernames and passwords are being hacked and harvested and then published (or sold) on the Internet.

Of course as an attacker, having to crawl through hundreds or even thousands of username and password data dumps is a little inconvenient. Luckily, these have been lumped together in what has been branded as “collections”. The most notable being “collection #1”, that had 773 million sets of credentials (

How do they use the credentials?

The task is to test millions of sets of credentials against thousands of different websites to see if any of them successfully log in.

To get the job done quickly, the attackers will use automation scripts, leaving computers running day and night working through the lists, marking the successful matches.

Why are they doing it?

Simply put, there’s money in it. The value can range from a few £ to several hundred per item, depending on what you can do with it.

The value is based on a few factors:

  • How convincingly can they use the credentials to impersonate you?
  • What can they do with each specific set of credentials if they find a match

At the low end, maybe valued at £1-2, would be a website login that can be used to damage your reputation.

Moving up are credentials that hold richer PII (personally identifiable information) that can be used for social engineering, or have the ability to unlock other accounts. For example, if an attacker had access to your email account, they could use it to perform password resets on other services you signed up for.

Further at the top would be credentials that hold direct value. This can be things like air miles, loyalty card points, successful Fortnite accounts, virtual currency, or just plain money.

How do I protect against it?

There’s a few things you can do to protect against credential stuffing.

First off, use MFA whenever possible. Although not foolproof, it is a significant security enhancement that will make it much harder for the attacker to access your online accounts. It means that even if an attacker knows your username and password, they also need to get a continuously rotating 6-digit number from your phone or Authenticator app.

The second recommendation is to use a different password for each web service. This means that if an attacker gets one of your passwords right, it will be isolated to that one compromised web service.

Of course trying to remember hundreds of passwords may seem a little daunting. To help with this, we would recommend using a password manager. There’s a range of paid and free password manager tools like 1Password, LastPass, and Dashlane available that can generate and store randomised passwords for each individual service.

The last recommendation is to check your email address and passwords with  This is a free service that can let you know whether your email or passwords have shown up on leaked credential lists. This way, you’ll know if you need to change them.

Leave a Reply

Your email address will not be published.

Other Articles

How to hide your Desktop icons during a presentation
13th January 2020

If you have ever presented from your Mac and showed the full contents of your…

Security Vulnerability with FaceTime
29th January 2019

9to5mac revealed yesterday ( that FaceTime running on iOS has a major security vulnerability.  Using…

How to remove words from your Mac dictionary
How to Remove Words From Your Mac Dictionary
16th December 2021

When you work on a Mac, the device’s built-in spellchecker becomes an invaluable tool for…

Deploying Autodesk Maya 2018 with Jamf Pro
19th February 2018

Hi all. I recently had the pleasure of deploying Autodesk Maya 2018 with Jamf Pro…

Moof IT - Why I Need To Update My Apple Device
You Need to Update Your iPhone and Mac ASAP – Here’s Why
15th September 2021

Sometimes, device updates can wait a day or two. However, occasionally, a software update arrives…

About moof IT

moof IT are an Apple focused IT company providing a full range of services to over 150 clients including user support, device management, infrastructure and security.

Contact Info

Tel: 0203 983 4444


London: 1st Floor 20 Noel Street London W1F 8GW

Manchester: The Sharp Project, Thorp Rd, Manchester M40 5BJ

Surrey: Unit 9B, Southbridge House, Southbridge Place, Croydon CR0 4HA

Social Media