Contact Us Today 01642 716680

Credential Stuffing

Definition: Credential Stuffing is a type of cyber attack in which attackers use lists of compromised user credentials to breach a system. They exploit the common practice of reusing usernames and passwords across multiple services, attempting to gain unauthorised access to user accounts by trying these known combinations on different websites.

In cyber security, Credential Stuffing poses a significant threat due to the widespread habit of password reuse among internet users. When a data breach occurs, and a database of credentials is leaked, attackers can automate the login process on a wide range of websites to identify where these credentials might work. Unlike Brute Force Attacks, which try all possible combinations, Credential Stuffing relies on pairs of usernames and passwords that are known to have been valid at some point.

To defend against Credential Stuffing, organisations can implement security measures such as requiring Multi-Factor Authentication (MFA), monitoring for unusual login attempts, employing device fingerprinting, and educating users about the importance of unique passwords for every account.

Key Characteristics:

  • Automated Login Attempts: Attackers use bots to automate the process of trying different username and password combinations.
  • Exploitation of Password Reuse: Leverages the tendency of users to reuse the same credentials across multiple services.
  • Based on Known Credentials: Uses previously leaked or stolen usernames and passwords from data breaches.
  • Large-Scale Attacks: Often targets a large number of accounts simultaneously, increasing the odds of success.


  • Real-World Example: The attack on the video service provider Hulu in 2018, which led to unauthorised access to accounts using information obtained from previous data breaches on other sites.
  • Hypothetical Scenario: An attacker obtains a leaked database containing usernames and passwords from a forum and uses those credentials to attempt to log in to email providers, banking services, and social media platforms.

Related Terms:

  • Brute Force Attack: An attack technique where attackers systematically try all possible passwords for a single account.
  • Multi-Factor Authentication (MFA): An authentication method that requires users to present two or more independent credentials to authorise access, helping to mitigate the impact of Credential Stuffing.
  • Data Breach: A security incident where information is accessed without authorisation, often leading to credentials becoming available for Credential Stuffing attacks.

What is the OWASP Top 10: Download our flash cards to find out.

Inside you will find a description of the most common web vulnerabilities.

Contact us

Get a free, no obligation quote from one of our expert staff.