Get in Touch
Back to main blog page

What is credential stuffing and why should you care?

25th November 2019 | posted by David Acland

Credential stuffing, is a simple but effective technique to take over more of your online accounts using a known set of credentials.

It’s scarily simple.  The attacker takes one of your username and password combinations that has been leaked online, and tries them against a long list of other websites.  If a match is found, they add them to the list of working credentials, ready to be sold on, or used for malicious purposes.

But how do you know my username and password?

Have you ever signed up for an online service? Maybe a few forums? It’s becoming well known that companies can be extremely valuable if they can build a database of thousands, or even millions of user accounts.  The more details they can record against these accounts, the better.

So everyone is at it! It’s rare to visit a website that doesn’t offer some kind of “login or create an account” option, offering all kinds of benefits behind a curtain.

If nothing else, our FOMO gets us to sign up on some sites!

The issue, is that these sites are getting breached all the time! Their databases of usernames and passwords are being hacked and harvested and then published (or sold) on the Internet.

Of course as an attacker, having to crawl through hundreds or even thousands of username and password data dumps is a little inconvenient. Luckily, these have been lumped together in what has been branded as “collections”. The most notable being “collection #1”, that had 773 million sets of credentials (

How do they use the credentials?

The task is to test millions of sets of credentials against thousands of different websites to see if any of them successfully log in.

To get the job done quickly, the attackers will use automation scripts, leaving computers running day and night working through the lists, marking the successful matches.

Why are they doing it?

Simply put, there’s money in it. The value can range from a few £ to several hundred per item, depending on what you can do with it.

The value is based on a few factors:

  • How convincingly can they use the credentials to impersonate you?
  • What can they do with each specific set of credentials if they find a match

At the low end, maybe valued at £1-2, would be a website login that can be used to damage your reputation.

Moving up are credentials that hold richer PII (personally identifiable information) that can be used for social engineering, or have the ability to unlock other accounts. For example, if an attacker had access to your email account, they could use it to perform password resets on other services you signed up for.

Further at the top would be credentials that hold direct value. This can be things like air miles, loyalty card points, successful Fortnite accounts, virtual currency, or just plain money.

How do I protect against it?

There’s a few things you can do to protect against credential stuffing.

First off, use MFA whenever possible. Although not foolproof, it is a significant security enhancement that will make it much harder for the attacker to access your online accounts. It means that even if an attacker knows your username and password, they also need to get a continuously rotating 6-digit number from your phone or Authenticator app.

The second recommendation is to use a different password for each web service. This means that if an attacker gets one of your passwords right, it will be isolated to that one compromised web service.

Of course trying to remember hundreds of passwords may seem a little daunting. To help with this, we would recommend using a password manager. There’s a range of paid and free password manager tools like 1Password, LastPass, and Dashlane available that can generate and store randomised passwords for each individual service.

The last recommendation is to check your email address and passwords with  This is a free service that can let you know whether your email or passwords have shown up on leaked credential lists. This way, you’ll know if you need to change them.

Leave a Reply

Your email address will not be published. Required fields are marked *

Other Articles

blog img
Is macOS imaging finally dead?
15th January 2018

It’s hard to get away from the fact that Apple are pushing people away from…

blog image
Summary of the Apple T2 chip
2nd November 2018

This is a summary of the Apple T2 chip shipping in lots of the new…

To cloud or not to cloud… that is the question
7th January 2020

For the last few years the only sensible place to host your email services has been…

Registering Apple TVs with Apple Business/School Manager
15th June 2021

I recently had the pleasure of working with a client to enrol their unmanaged Apple…

The Lowdown On Apple Business Manager
15th March 2023

Apple Business Manager combines what was formerly known as Apple’s Volume Purchasing Program (VPP) and…

About moof IT

moof IT are an Apple focused IT company providing a full range of services to over 150 clients including user support, device management, infrastructure and security.

Contact Info

Tel: 0203 983 4444


London: 1st Floor 20 Noel Street London W1F 8GW

Social Media