Credential Stuffing

Credential stuffing is the automated use of exposed username/password combinations to gain access to user accounts and, if necessary, to take them over completely.

What does the term “Credential Stuffing” mean in detail?

The term, “credential stuffing” is composed of credentials or login data, and “stuffing,” or filling. In this procedure, a website’s login page, for example, of an online store, is automatically filled. Long lists of known credentials are processed. The calculus behind it: Some of these credentials will still be valid and can then be misused, eg., for shopping in this online shop. These login credentials are from incidents where hackers were able to capture credentials. For example, they may have hacked an email provider, an online store, or a credit card company and got access to the credentials stored there. These lists are sold or even circulated for free on the Internet. Credential stuffing is always successful, as many users use their passwords multiple times and rarely change them. This also makes older lists with credentials interesting for cyber criminals. The hackers do not enter the login data manually, but automatically, via so-called bots. This allows them to test almost any number of dates for their validity. The result: According to the IT security firm, Shape Security, credential stuffing attempts average 80-90% of the total login traffic from any online store.

Where will I encounter the topic Credential Stuffing in everyday work?

In everyday working life, you mostly encounter the topic of credential stuffing indirectly. For example, if you're signing in to your user account on a web site and you have to enter numbers and letters from a distorted image in addition to your credentials. Bots and credential stuffing attempts fail at this so-called captcha codes.

What can I do to improve my safety?

As part of the Perseus IT Security Check, you’ll see if your email address appears on common Credential Stuffing Lists. If so, the following recommendations are even more important to you.

Change passwords that you have been using for some time

The more frequently you change your password, the faster your credentials will lose their topicality should they be stolen. If this has already been done, you should change all the passwords that you use in combination with the respective e-mail address.

Use as many different passwords as possible

Ideally, you will not use a password twice. In this memory engineering feat, a password manager will help you (see next paragraph). If this is currently not an option for you, use as many different passwords as possible. User accounts whose criminal exploitation would be particularly damaging will inevitably receive unique, complex passwords.

Treat yourself to a password manager

A password manager is a program that generates an individual, complex password for each user account and remembers this for future visits. You only need to remember the password for the password manager, yourself. In general, password managers provide a high level of security. But they are not infallible. Since these are programs, they too can theoretically be hacked.

Protect as many user accounts as possible with two-factor authentication.

A two-factor authentication offers a lot of security. We recommend: Use this with all accounts that give you the opportunity.