How Hackers Steal Your Reused Passwords: Credential Stuffing

As one of the leading password management apps, Dashlane knows all too well the risks of reusing weak passwords on multiple accounts. For years, we’ve told users how hackers and cyber criminals will use stolen or weak passwords from a massive data breach to deface your social media accounts, commit fraud with your credit cards, steal from your online banking account, send malicious messages and emails from your accounts, and even steal your identity.

We’ve even seen big names face highly public consequences for reusing passwords. Take, for instance, Facebook CEO Mark Zuckerberg whose LinkedIn credentials leaked during the 2012 data breach lead to a hacker group compromising his Pinterest and Twitter pages.

You may not be a big-time CEO, but a report by Shape Security reveals just how easy it would be to exploit your online accounts with a reused password.

5 Ways Hackers Steal Passwords

The process of exploiting your reused passwords begins when your credentials are stolen. There are various ways hackers can get their hands on your passwords. Here are 5 common ways hackers steal your passwords:

  1. The theft of a database containing your login credentials – This is one of the largest sources of stolen credentials to date. In 2016 alone, a total of 3 billion credentials were stolen.
  2. Phishing and social engineering attacks – This is a method in which a hacker will send a phishing email to steal your account information or trick you into clicking a malicious link and entering your credentials on a false site.
  3. Keyloggers, browser injectors, and other malware – Hackers will often trick you into downloading malware or another malicious software program to capture your login credentials, payment information, and other artifacts including private information.
  4. Password attacks – Password attacks, including brute force and dictionary attacks are automated software programs designed to crack or guess your password.
  5. Wi-Fi monitoring – Never sign into an account while connected to a public or insecure Wi-Fi connection if you are not protected by software such as a VPN. Hackers often use readily-available network monitoring tools to intercept your credentials and other data.

After using any of these techniques, a hacker has the option of either selling your credentials on the dark web or use your credentials for other illegal activities, including identity theft and fraud, extortion, money laundering, and more.

How Credential Stuffing Attacks Are Used to Exploit Your Reused Passwords

Credential stuffing is a technique where hackers use your stolen credentials to access some of your most valuable online accounts, like retail gift card accounts, travel and hospitality loyalty programs, and online banking accounts.

Shape Security defines credential stuffing as “the use of automation to test usernames and passwords stolen from one site on other sites with the intent of taking over a large set of accounts en masse.”

Credential stuffing attacks work by choosing a target site and analyzing the site’s login sequence and processes. Then, a hacker can either create an automated script or use a configurable credential stuffing software to systematically test if the stolen credentials successfully login to the target site. To mask their activity, the hacker will rent botnets—networks of computers controlled by hackers using malware—or a list of proxy IP addresses to make it appear as if login attempts were coming from real users on various computers. Eventually, the hacker will be successful on some sites with some credentials and he is able to take over those accounts and successfully steal assets.

While the process may sound complicated on paper, hackers can easily launch an attack within a few hours.

How successful are credential stuffing attacks?

Remember, in 2016 about 3.3 billion credentials were compromised in data breaches—1.5 billion alone coming from two separate Yahoo breaches.

According to Shape, compromised credentials from these massive data breaches were used to target websites in the retail, finance, travel, and government industries. Their report also noted that the success rate for credential stuffing attacks was between 0.1 percent and 2 percent. That means, if 1 million credentials were stolen from a website like LinkedIn and then used in a credential stuffing attack on, then a hacker would be able to access between 1,000 to 20,000 accounts. This number grows exponentially if those same credentials can be used to access other websites and applications.

What is the best way to protect your accounts from hackers using credential stuffing attacks?

The best way to protect your accounts and data from credential stuffing attacks is to immediately stop reusing the same passwords on multiple accounts. All your accounts—but especially accounts related retail, finance, travel, and government—should be protected with strong, unique passwords. A strong password should have a minimum of 8 characters and includes a mix of uppercase letters, lowercase letters, numbers, and special characters. Here are some additional tips to help you get out of the habit of reusing passwords:

  • Use a password manager – If you’re having difficulty creating and managing long, complicated passwords, use a password manager like Dashlane! It has a built-in password generator to help you create strong passwords for new accounts, and in-app Security Alerts to notify you immediately when to change your passwords after a data breach. Another great feature is its Security Dashboard, which allows you to view all of the compromised, weak, reused, and old passwords that need to be updated.
  • Update passwords twice a year – Update your passwords twice a year, even if it’s a strong password. That’ll keep you one step ahead of hackers if a data breach isn’t reported until months, even years later.
  • Enable two-factor authentication – Enable two-factor authentication (2FA) on all online accounts, especially on highly-targeted websites and apps like your social media and online banking accounts.
  • Enable login notifications – Enable login notifications via text or email to proactively monitor any suspicious account activity and login attempts.

Quit reusing weak passwords and download Dashlane! It’s free and will help you break bad password habits. Don’t forget about your work accounts! Protect your personal and work-related passwords with Dashlane Business! Try it free for 30 days!

    Malaika Nicholas

    Content & Community Manager at Dashlane

    Read More