Credential stuffing is the use of stolen username and passwords in order to gain unauthorised access to user accounts other than the place where the credentials were stolen from. Credential stuffing is made possible due to the frequent reuse of user passwords across a number of of websites and applications, despite this being a practice which is discouraged. With cyber-criminals aware of the tendency to reuse passwords, they attempt to use the stolen credentials on other, unrelated websites or applications. By using username and password combinations which are known to work together, they can avoid some of the issues which come with trying to brute-force entry, such as websites which block users or IP addresses with multiple fail attempts.

Cyber-criminals mainly gain access to records of credentials as a result of cyber-breaches of online organisations. Due to continuing issues of major cyber-breaches, many of them in which cyber-criminals succeed in making off with billions of credentials, the issue of credential stuffing represents a major issue in cybersecurity.

Various figures are given for the success rate of credential stuffing. Despite this inconsistency, even for a success rate of 1%, 10,000 accounts would still be breached. The valuable accounts that cyber-criminals would hope to be able to get into would be those including access to financial or personal details, which could allow them to use other attack techniques such as authorised push payment fraud or sim swap fraud.

Additional Information

  • Credential stuffing is not to be confused with credential spilling, which is when stolen credentials are made available to other criminals, such as by posting the stolen details on a hacker’s forum.
  • The term was invented by Sumit Agarwal when he was working as Deputy Assistant Secretary of Defense at the Pentagon.


Last updated: 9 June 2018