Get in Touch
Back to main blog page

What is credential stuffing and why should you care?

25th November 2019 | posted by David Acland

Credential stuffing, is a simple but effective technique to take over more of your online accounts using a known set of credentials.

It’s scarily simple.  The attacker takes one of your username and password combinations that has been leaked online, and tries them against a long list of other websites.  If a match is found, they add them to the list of working credentials, ready to be sold on, or used for malicious purposes.

But how do you know my username and password?

Have you ever signed up for an online service? Maybe a few forums? It’s becoming well known that companies can be extremely valuable if they can build a database of thousands, or even millions of user accounts.  The more details they can record against these accounts, the better.

So everyone is at it! It’s rare to visit a website that doesn’t offer some kind of “login or create an account” option, offering all kinds of benefits behind a curtain.

If nothing else, our FOMO gets us to sign up on some sites!

The issue, is that these sites are getting breached all the time! Their databases of usernames and passwords are being hacked and harvested and then published (or sold) on the Internet.

Of course as an attacker, having to crawl through hundreds or even thousands of username and password data dumps is a little inconvenient. Luckily, these have been lumped together in what has been branded as “collections”. The most notable being “collection #1”, that had 773 million sets of credentials (

How do they use the credentials?

The task is to test millions of sets of credentials against thousands of different websites to see if any of them successfully log in.

To get the job done quickly, the attackers will use automation scripts, leaving computers running day and night working through the lists, marking the successful matches.

Why are they doing it?

Simply put, there’s money in it. The value can range from a few £ to several hundred per item, depending on what you can do with it.

The value is based on a few factors:

  • How convincingly can they use the credentials to impersonate you?
  • What can they do with each specific set of credentials if they find a match

At the low end, maybe valued at £1-2, would be a website login that can be used to damage your reputation.

Moving up are credentials that hold richer PII (personally identifiable information) that can be used for social engineering, or have the ability to unlock other accounts. For example, if an attacker had access to your email account, they could use it to perform password resets on other services you signed up for.

Further at the top would be credentials that hold direct value. This can be things like air miles, loyalty card points, successful Fortnite accounts, virtual currency, or just plain money.

How do I protect against it?

There’s a few things you can do to protect against credential stuffing.

First off, use MFA whenever possible. Although not foolproof, it is a significant security enhancement that will make it much harder for the attacker to access your online accounts. It means that even if an attacker knows your username and password, they also need to get a continuously rotating 6-digit number from your phone or Authenticator app.

The second recommendation is to use a different password for each web service. This means that if an attacker gets one of your passwords right, it will be isolated to that one compromised web service.

Of course trying to remember hundreds of passwords may seem a little daunting. To help with this, we would recommend using a password manager. There’s a range of paid and free password manager tools like 1Password, LastPass, and Dashlane available that can generate and store randomised passwords for each individual service.

The last recommendation is to check your email address and passwords with  This is a free service that can let you know whether your email or passwords have shown up on leaked credential lists. This way, you’ll know if you need to change them.

Other Articles

blog image
MacAD UK 2018 – Shields up, Captain?
21st February 2018

Update, 2018.03.30: Added link to YouTube Video Hi All, I had the pleasure of delivering…

5 tips to keep your Mac running smoothly
22nd January 2018

We have all been there where your Mac starts to run a bit slower than…

Top 5 security measures to implement in 2020
3rd January 2020

If you’re looking at implementing new IT security measures in 2020 but are unsure where…

Multi-Factor Authentication and why it’s absolutely needed in your business!
20th August 2019

What is MFA? Multi-Factor Authentication (sometimes referred to as 2-Factor Authentication) is an enhanced security…

How to fix issues with Outlook search in macOS
14th January 2020

From time to time, you search for emails in Outlook and it doesn’t display the…

About moof IT

moof IT are an Apple focused IT company providing a full range of services to over 150 clients including user support, device management, infrastructure and security.

Contact Info

Tel: 0203 983 4444


London: 1st Floor 20 Noel Street London W1F 8GW

Manchester: The Sharp Project, Thorp Rd, Manchester M40 5BJ

Surrey: Unit 9B, Southbridge House, Southbridge Place, Croydon CR0 4HA

Social Media