Navigation skipped

Protect yourself from credential stuffing

Updated
2 min. read

You hear the advice over and over – use a different password on every website and change it frequently. But there are so many websites you visit to shop, to bank, for your job, for social media and more. It’s hard keeping track of them all, so why not take a short cut and use the same username and password for multiple sites?Credential stuffing counts on you doing just that – reusing usernames and passwords – to gain access to your various online accounts. Canada is one of the top-targeted countries for this type of attack, so knowing how to protect yourself is key.

What is credential stuffing?

Credential stuffing is essentially when hackers use stolen login credentials (i.e. username/email and password) from one site and run them through other sites to see if they’ll work. When a security breach occurs at a big online company (e.g. e-commerce site, social media site) hackers take those usernames and passwords and "stuff" them into other website login pages and computer systems until they find sites or computers that accept them.

How credential stuffing works

  1. The hacker acquires usernames and passwords from a security breach or password dump.
  2. The hacker then uses an account checker app or script to test the stolen login information against thousands of websites (e.g. social media sites or online marketplaces).
  3. Successful logins (usually 0.1 - 0.2% of the total login attempts) allow the hacker to take over the account matching the stolen credentials.
  4. The hacker gets into your account and is able to drain assets, make unauthorized transactions and conduct other fraudulent activities. They may also use the credentials to carry out identity theft.
“The most important way to protect yourself against credential stuffing is to use different passwords for every website you use.”
If you use the same username and password for multiple websites, hackers can take that info from a compromised website and use it on other websites.
This process rarely involves a single hacker working on their lone computer; instead, criminal groups will use automation to carry out attacks across millions of websites and personal computers.

How you can prevent credential stuffing

The single most important way you can protect yourself against credential stuffing is to use different passwords for every website and app you use. Yes, it’s a pain, but recovering from a cyberattack or identity theft is a bigger one.
To help, many browsers can suggest and remember passwords for you or you can use a password manager to keep track of them all. Changing your passwords frequently will also help keep you safe, as will using two-factor authentication when it’s available.
It can be scary to hear about the latest security breach, but by following a couple of simple password protocols, you can give yourself peace of mind.

Create a stronger password

See how to make online and mobile banking safer with a longer, complex password.

Get details

Related articles

Keeping your social media safe from identity theft

Sometimes sharing life updates on social media can leave you exposed to potential risks for identity theft. Learn how to protect yourself from risks with these helpful tips.

Travel tips for keeping your personal and business info safe

Need to travel for a business trip? Keep these tips in mind to make sure confidential information you carry with you is safe in transit.