A. M. Credential stuffing is a type of cyberattack in which malicious actors use leaked usernames and passwords to log in to accounts and services other than the one that was breached. The success of these attacks relies on the habit of reusing the same password for different accounts or services.
Therefore, if a password is leaked, attackers only need to try it on other sites where the user has an account, since if there is a match, they gain access without needing to compromise the system. ESET, a leading company in proactive threat detection, analyzes what a credential stuffing attack looks like, why they are so effective, what their consequences can be, and how to avoid them.
“Repeating passwords is like using the same key to open your house, car, office, and safe. Paying attention and managing passwords properly is as important as locking your front door. Simple habits can make a difference: avoiding password reuse, enabling two-factor authentication, and using a secure password manager are practices we need to incorporate to stay protected against these types of threats and many others”, says Camilo Gutiérrez Amaya, Head of the ESET Latin America Research Lab.
The beginning of a credential stuffing attack is the cybercriminal obtaining leaked credentials. These are triggered by data breaches involving major, well-known companies and organizations, which expose millions of pieces of data. With this sensitive information in hand, and using bots or automated scripts, these passwords are tested on various sites, accounts, or services (such as Netflix, Gmail, banks, social networks, among others). Thousands of logins are tested per minute.
To better understand the impact of these attacks, ESET reviews two specific cases that show how credential stuffing can compromise thousands of accounts.
• PayPal case: Between december 6 and 8, 2022, PayPal suffered a credential stuffing attack that compromised nearly 35,000 accounts, exposing sensitive information such as names, addresses, dates of birth, and tax identification numbers.
• Snowflake: More than 165 organizations were affected when attackers accessed Snowflake customer accounts using credentials stolen via infostealer malware. Although Snowflake’s infrastructure was not directly compromised, attackers took advantage of the lack of multi-factor authentication and the use of old passwords.
In june 2025, for example, a series of databases totaling 16 billion records were hosted in misconfigured repositories that were exposed and made public. Although the exposure was temporary, it was enough for researchers, or anyone else, to access the data, which included username and password combinations for online services such as Google, Facebook, Meta, Apple, and other accounts.
But it wasn’t the only breach of the year: in May, security researcher Jeremiah Fowler revealed the public exposure of 184 million login credentials for users’ accounts around the world. This included information from various email server providers, Apple products, Google, Facebook, Instagram, Snapchat, and Roblox, to name just a few. Not only that, the records included credentials from banks and other financial institutions, healthcare platforms, and government portals from several countries.
To prevent a credential stuffing attack, ESET shares several actions:
1. Essential: Do not reuse the same password across different accounts, platforms, and services.
2. Have strong, secure, and unique passwords for each account. To achieve this, a password manager is very useful. This tool is designed to store login credentials and protect them with encryption, and also has a dedicated feature for generating complex and strong passwords.
3. Enable two-factor authentication on as many accounts and services as possible. The second factor is key if a password falls into the wrong hands, as the cyberattacker will not be able to access the accounts without it.
4. Check if the passwords or login credentials have already been leaked in a data breach, and change them immediately. For example, on the website haveibeenpwned.com.
