You know what credential stuffing is. It’s a common cyberattack method in which attackers use lists of compromised user credentials to breach system. These systems could be anything from, PayPal, Netflix, Gmail or other popular online services, retailers to food outlets, sports shops and so on.

A cybercriminal tries to access someone’s account by deploying stolen usernames and passwords. They may buy hundreds of thousands of stolen ID credentials from the dark web and using special software and powerful computers carry out a game of chance at cyber speed across hundreds and thousands of online service.

New York attorney general Letitia James has now tried to put a figure on stolen credentials, albeit with a US focus.
  • Her office spent months monitoring online communities dedicated to credential stuffing and found thousands of posts that contained customer login credentials that hackers had tested for attacks.
  • From those posts, New York state officials compiled credentials to compromised accounts at 17 well-known online retailers, restaurant chains and food delivery services.
  • James said more than 15 billion stolen credentials are currently in circulation, putting those users’ personal information “in jeopardy.”
Of course the problem, and nearly everyone does it, is the use of the same passwords across multiple sites. Hackers take advantage of this with credential-stuffing attacks.
  • Industry estimates put the success rate of credential stuffing attacks at between 1% and 3%.
This is clearly low but if Letitia James figure of 15 billion stolen credentials is correct and only 1% of attacks are successful that’s still 150 million successful attacks. And let’s not forget it’s also 150 million individual tales of trouble and pain.

Clearly the right thing to do is have a different password for each account but how impractical is this? Very. A password manager is the answer. It allows you to store, generate, and manage passwords for all the online services you use. There are plenty to choose from.