An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

News | Dec. 20, 2018

Cybersecurity: What is Credential Stuffing?

By Natalie Pittore, NSA/CSS Public Affairs Officer

It almost seems that a major data breach is happening every other week and there are dangers that result from this that the average internet user may not be aware of. One of these dangers is falling victim to a credential stuffing attack.

So what is a credential stuffing attack? First, a hacker acquires a large quantity of usernames and passwords, potentially from a previous attack or a website that publishes exfiltrated data, often found on the Dark Web. Then the hacker runs these stolen credentials through tools that enable the hacker to test them across multiple websites to see if the accounts match. So for instance, if your username and password is compromised from Company A-- who suffered a data breach-- and you use that same username and password to login to your social media account, then that account could also be in jeopardy. This means that not only is your information found in Company A’s networks at risk but the personal information, potentially including credit card numbers, bank accounts, social security numbers, etc., found in accounts that you use the same username/password combination for is also vulnerable. Scary, right?

So what can you do to help protect yourself from a credential stuffing attack? First, it’s important to pay attention to when major data breaches occur. If you have an account with a company that experiences a data breach, do not waste time in changing your password. If you use that same username and password combination for other accounts (don’t be embarrassed if you do… a lot of people do this for ease of access to their accounts), make sure to change those passwords as well. And while you are at it, use this as an opportunity to create unique username and password combinations for all your online accounts. It doesn’t hurt to leverage two factor authentication when possible which will provide you with additional protection in the event of a network attack. And if you have a lot of online accounts, which so many of us do nowadays, consider a password manager to help you keep track of your accesses.

Cybersecurity experts at the National Security Agency, along with our partners at Department of Homeland Security, share best practices that can help you protect yourself online. If you are interested in learning more about how to be more cybersecure, check out our article Best Practices for Keeping Your Home Network Secure.  Remember, it's all of our responsibility to protect our online information.

Looking for more information on cybersecurity? Check out NSA’s cybersecurity page, and