惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

P
Palo Alto Networks Blog
S
Security Affairs
T
Tor Project blog
T
Threatpost
Hacker News - Newest:
Hacker News - Newest: "LLM"
C
Cyber Attacks, Cyber Crime and Cyber Security
The Hacker News
The Hacker News
A
Arctic Wolf
K
Kaspersky official blog
O
OpenAI News
Spread Privacy
Spread Privacy
人人都是产品经理
人人都是产品经理
爱范儿
爱范儿
Simon Willison's Weblog
Simon Willison's Weblog
雷峰网
雷峰网
P
Privacy & Cybersecurity Law Blog
Know Your Adversary
Know Your Adversary
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Last Week in AI
Last Week in AI
Martin Fowler
Martin Fowler
量子位
博客园_首页
Cyberwarzone
Cyberwarzone
博客园 - 三生石上(FineUI控件)
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
IT之家
IT之家
N
News and Events Feed by Topic
博客园 - 司徒正美
V2EX - 技术
V2EX - 技术
S
Schneier on Security
博客园 - 叶小钗
Attack and Defense Labs
Attack and Defense Labs
AI
AI
Application and Cybersecurity Blog
Application and Cybersecurity Blog
博客园 - 【当耐特】
Jina AI
Jina AI
C
CXSECURITY Database RSS Feed - CXSecurity.com
C
Cybersecurity and Infrastructure Security Agency CISA
D
Darknet – Hacking Tools, Hacker News & Cyber Security
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
大猫的无限游戏
大猫的无限游戏
Cloudbric
Cloudbric
H
Hacker News: Front Page
The Last Watchdog
The Last Watchdog
V
V2EX
S
SegmentFault 最新的问题
V
Visual Studio Blog
PCI Perspectives
PCI Perspectives
Microsoft Security Blog
Microsoft Security Blog

WeLiveSecurity

Supply chain dependencies: Have you checked your blind spot? Recovery scammers hit you when you’re down: Here’s how to avoid a ‘second strike’ As breakout time accelerates, prevention-first cybersecurity takes center stage Digital assets after death: Managing risks to your loved one’s digital estate This month in security with Tony Anscombe – March 2026 edition RSAC 2026 wrap-up – Week in security with Tony Anscombe A cunning predator: How Silver Fox preys on Japanese firms this tax season Virtual machines, virtually everywhere – but not all protected Cloud workload security: Mind the gaps Move fast and save things: A quick guide to recovering a hacked account EDR killers explained: Beyond the drivers Face value: What it takes to fool facial recognition Cyber fallout from the Iran war: What to have on your radar Sednit reloaded: Back in the trenches What cybersecurity actually does for your business How SMBs use threat research and MDR to build a defensive edge Protecting education: How MDR can tip the balance in favor of schools This month in security with Tony Anscombe – February 2026 edition Mobile app permissions (still) matter more than you may think Faking it on the phone: How to tell if a voice call is AI or not PromptSpy ushers in the era of Android threats using GenAI Is Poshmark safe? How to buy and sell without getting scammed Is it OK to let your children post selfies online? Naming and shaming: How ransomware groups tighten the screws on victims Taxing times: Top IRS scams to look out for in 2026 OfferUp scammers are out in force: Here’s what you should know A slippery slope: Beware of Winter Olympics scams and other cyberthreats This month in security with Tony Anscombe – January 2026 edition DynoWiper update: Technical analysis and attribution Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan Drowning in spam or scam emails lately? Here’s why ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 Children and chatbots: What parents should know Common Apple Pay scams, and how to stay safe Old habits die hard: 2025’s most common passwords were as predictable as ever Why LinkedIn is a hunting ground for threat actors – and how to protect yourself Is it time for internet services to adopt identity verification? Your information is on the dark web. What happens next? This month in security with Tony Anscombe – December 2025 edition A brush with online fraud: What are brushing scams and how do I stay safe? Revisiting CVE‑2025‑50165: A critical flaw in Windows Imaging Component LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan ESET Threat Report H2 2025 Black Hat Europe 2025: Was that device designed to be on the internet at all? Black Hat Europe 2025: Reputation is currency – even in the ransomware economy Locks, SOCs and a cat in a box: What Schrödinger can teach us about cybersecurity Seeking symmetry during ATT&CK® season: How to harness today’s diverse analyst and tester landscape to paint a security masterpiece The biggest catch: How whaling attacks target top executives Phishing, privileges and passwords: Why identity is critical to improving cybersecurity posture MuddyWater: Snakes by the riverbank Oversharing is not caring: What’s at stake if your employees post too much online This month in security with Tony Anscombe – November 2025 edition What parents should know to protect their children from doxxing Influencers in the crosshairs: How cybercriminals are targeting content creators MDR is the answer – now, what’s the question? The OSINT playbook: Find your weak spots before attackers do PlushDaemon compromises network devices for adversary-in-the-middle attacks What if your romantic AI chatbot can’t keep a secret? Can password managers get hacked? Here’s what to know Why shadow AI could be your biggest security blind spot In memoriam: David Harley The who, where, and how of APT attacks in Q2 2025–Q3 2025 ESET APT Activity Report Q2 2025–Q3 2025 Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming How social engineering really works | Unlocked 403 cybersecurity podcast (S2E6) Ground zero: 5 things to do after discovering a cyberattack This month in security with Tony Anscombe – October 2025 edition Fraud prevention: How to help older family members avoid scams Cybersecurity Awareness Month 2025: When seeing isn't believing Recruitment red flags: Can you spot a spy posing as a job seeker? How MDR can give MSPs the edge in a competitive market Cybersecurity Awareness Month 2025: Cyber risk thrives in the shadows Gotta fly: Lazarus targets the UAV sector SnakeStealer: How it preys on personal data – and how to stay safe Cybersecurity Awareness Month 2025: Building resilience against ransomware Minecraft mods: When ‘hacking’ your game becomes a security risk IT service desks: The security blind spot that may put your business at risk Cybersecurity Awareness Month 2025: Why software patching matters more than ever AI-aided malvertising: How chatbots can help spread scams How Uber seems to know where you are – even with restricted location permissions Cybersecurity Awareness Month 2025: Passwords alone are not enough The case for cybersecurity: Why successful businesses are built on protection Beware of threats lurking in booby-trapped PDF files Manufacturing under fire: Strengthening cyber-defenses amid surging threats New spyware campaigns target privacy-conscious Android users in the UAE Cybersecurity Awareness Month 2025: Knowledge is power This month in security with Tony Anscombe – September 2025 edition Roblox executors: It’s all fun and games until someone gets hacked DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception Watch out for SVG files booby-trapped with malware Gamaredon X Turla collab Small business, big risk: How SMBs can fight back against ransomware HybridPetya: A Petya/NotPetya copycat comes with a twist Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass Are cybercriminals hacking your systems – or just logging in? Preventing business disruption and building cyber-resilience with MDR Under lock and key: Safeguarding business data with encryption GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes This month in security with Tony Anscombe – August 2025 edition Don’t let “back to school” become “back to bullying”
Credential stuffing: What it is and how to protect yourself
Christian Ali Bravo · 2026-01-08 · via WeLiveSecurity

Digital Security

Reusing passwords may feel like a harmless shortcut – until a single breach opens the door to multiple accounts

08 Jan 2026  •  , 4 min. read

Credential stuffing: What it is and how to protect yourself

Reusing the same password across multiple accounts may be convenient, but it sets you up for trouble that can cascade across your digital life. This (bad) habit creates the perfect opening for credential stuffing, a technique where bad actors take a list of previously exposed login credentials and systematically feed the username and password pairs into the login fields of selected online services. And if you recycle the same credentials across various accounts, a single such pair can grant attackers access to otherwise unrelated online services.

Indeed, credential stuffing is the digital equivalent of someone discovering a skeleton key that opens your house, office, and safe – all in one sweep. And finding that key needn't be difficult at all – it can be gathered from past data breaches and cybercrime markets or attackers can deploy so-called infostealer malware that siphons credentials off compromised devices and web browsers.

What makes credential stuffing so dangerous and effective?

As is probably obvious by now, this threat pays off handsomely for attackers because of our penchant for reusing passwords across accounts – including high-value ones, such as online banking, email, social media and shopping sites. To gauge how common this bad habit is, NordPass recently shared a survey stating that 62% of Americans confess to reusing a password "often" or "always".

Once an attacker finds login credentials in one place, they can try them everywhere. Then they can use bots or automated tools to “stuff” these credentials into login forms or APIs, sometimes rotating IP addresses and mimicking legitimate user behavior to stay under the radar.

Compared to brute-force attacks, where attackers attempt to guess a password using random or commonly used patterns, credential stuffing is simpler: it relies on what people themselves or their online services of choice have already exposed, often years earlier. Also, unlike brute force attacks, where repeated login failures can trigger alarms, credential stuffing uses credentials that are already valid and the attacks remain under the radar.

While credential stuffing is by no means new, several trends have exacerbated the problem. Info-stealing malware has exploded in volume, quietly capturing credentials directly from web browsers and can even be a threat for password managers. At the same time, attackers can use (AI-assisted) scripts that simulate normal human behavior and slip past basic bot defenses, all while being able to test credential pairs more stealthily and at a greater scale.

Here’s the scale at which credential stuffing attacks can be conducted:

  • In 2022, PayPal reported that nearly 35,000 customer accounts were compromised via credential stuffing. The fintech firm itself was not breached – attackers simply leveraged login credentials from older data leaks and accessed accounts belonging to users who had recycled the same passwords across multiple accounts.
  • The 2024 attack wave targeting Snowflake customers showed another dimension of the problem. The data storage and processing service itself wasn’t breached, but the incident affected some 165 organizations who were its customers. This was after attackers used credentials previously stolen via infostealer malware to access the firms’ multiple Snowflake accounts, with some victims later receiving ransom demands for stolen data.

How to protect yourself

Here a few practical steps you can take to stay safe. The first step in particular is (disarmingly) simple:

  • Never reuse the same password across multiple sites or services. A password manager makes this a breeze as it can generate and store strong, unique passwords for each account.
  • Enable two-factor authentication (2FA) wherever possible. Even if attackers know your password, they still won’t be able to log in without that second factor.
  • Stay alert and also use services such as haveibeenpwned.com to check whether your email or credentials have been exposed in past leaks or breaches. If they have, take action and change your passwords immediately, especially for accounts storing sensitive data.

How to protect your organization

These days, credential stuffing is also a primary vector for account takeover, fraud, and large-scale data theft across industries, including retail, finance, SaaS, and health care. Many organizations still rely solely on passwords for authentication and even where 2FA is available, it's by no means always enforced by default. Companies should also restrict login attempts, require network allow-lists or IP whitelisting, monitor for unusual login activity, and adopt bot-detection systems or CAPTCHA to block automated abuse.

Importantly, many organizations are embracing passwordless authentication, such as passkeys, which effectively make credential stuffing useless. Yet adoption remains uneven, and old habits die hard, so it's little surprise that credential stuffing continues to deliver a high return for attackers with minimal effort.

At the same time, millions of leaked credentials remain valid long after a breach, especially when users never change their passwords. Therefore, credential stuffing is low-cost, highly scalable, and consistently effective for cybercriminals.

Conclusion

Credential stuffing is a surprisingly simple, low-cost and scalable attack technique. It works because its uses our own habits against us and subverts outdated safeguards. Unless you want to move beyond passwords completely, the risk of account break-ins can be neutralized through thoughtful password practices. Those are not optional – they need to be standard practice.


Let us keep you
up to date

Sign up for our newsletters