Skip to main content


Credential stuffing

Credential stuffing is a type of cyberattack where stolen account- and log-in credentials are used to gain unauthorized access to user accounts through large-scale automated login requests. Typically this involves usernames and passwords used in webapplications. There is no brute force component to this type of cyberattack as no password guessing takes place. This type of attack is possible because users often reuse usernames and passwords across different websites and platforms or do not change their passwords after a data breach.

Several measures can be taken to reduce the chance of unauthorized access through credential stuffing. This includes using unique passwords on all accounts (user), enable two-factor authentication (service provider and user), and detect and stop credential stuffing attacks (service provider). There are several services that can inform domain name holders and e-mail account holders of credential spills, you get notified when passwords are breached so you can change your account password. 

Related keywords: data leakage, password manager, automated injection, web application