Real World Risk Management Practical HR Resources
Are you a new user?

print   email   Share

Credential Stuffing: A Singular Reason Why You Need To Have Different Passwords For Your Accounts

A report from the FBI to the financial services industry cites a recent survey from data analysts showing that approximately 41 percent of cyber incidents over the past three years have targeted the financial sector.

The survey also shows that the cybercriminal's increasing use of credential-stuffing attacks corresponds to a rise in the number of stolen credentials found on the dark web.

The FBI points to user negligence, particularly regarding passwords, as key to the criminal's success in hacking financial accounts. The survey reported that 60 percent of respondents use the same password across multiple accounts, and cybercriminals are taking advantage of it. Hackers employ bots in their credential-stuffing attacks, which take already stolen credentials and attempt logins on a massive scale across multiple accounts.

The cost to businesses hit by this type of attack involves more than just system down time and damage to reputation. Victims also face the financial expense of notifying customers and repairing a hacked network system.

To prevent attacks associated with compromised credentials, the FBI suggests businesses employ multiple strategies. This should include educating customers and employees about the threat and encouraging them to use unique passwords and change them regularly. Filip Truta "FBI: 41% of Financial Sector Cyber Attacks Come from Credential Stuffing" (Oct. 02, 2020).


Credential stuffing is a term to describe a cyberattack method that targets a site, like a financial site, using compromised usernames and passwords. The compromised credentials are discovered from past breaches and are often purchased to upload onto credential stuffing programs.

Credential stuffing is successful only if someone uses the same credentials for other accounts.

For example, if Joe uses the same username and password for a gaming application as he uses for his bank account; his gaming application credentials are compromised; and his bank account experiences a credential stuffing mass attack using those stolen credentials, Joe’s bank account and the funds within it are at risk.

The best way to prevent credential stuffing is to have a different password for each account.

Other general protection steps include changing any credentials you suspect or know to be compromised; routinely changing passwords, using multiple-factor authorization steps for login; verifying emails and passwords against lists of known stolen credentials; and utilizing monitoring tools that will detect an unusual rise in login attempts and other irregular system activity.

Monitor all financial accounts and provide notice of any suspicious activity. including creating new payees in a bill pay system.

Finally, your opinion is important to us. Please complete the opinion survey:

Spotify Breach: It's Time To Go To A Password Manager

Changing passwords, associated passwords, and logging out everywhere are important steps for cybersecurity. We examine.

read more

Identifying Employee Personality Typing May Help Blunt Cybercrime

New research finds that personality type may determine an employee's strengths and weaknesses as it relates to cyber threats. We examine.

read more

Bad State Actors And Criminals Are Focusing On Updates After SolarWinds Hack

Cybercriminals often hack organizations or spoof software updates to spread malware. We examine.

read more

Knowing Internal Online Habits Helps Limit The Risk Of Cloud-Based Malware Attacks

McAfee's second quarter report reveals a significant rise in malware attacks, particularly in cloud-based user accounts. We examine.

read more