facebook twitter linkedin google gplus pinterest mail share search arrow-right arrow-left arrow print vcard

“Credential Stuffing” Attacks Due to Rampant Password Reuse Pose a Costly Threat to Business and Their Customers. Here’s What Your Company Can Do.


By Robert M. Horwitz

Millions of people have used the service 23andMe to learn about their ancestry, family history, and genetics. This information is as personal as it is insightful. But as thousands of 23andMe customers recently learned, they were not the only ones benefiting from it. As the site announced in October 2023, hackers accessed those customers’ accounts using the customers’ legitimate passwords and subsequently posted personal data such as name, gender, birth year, location, photos, and shared genetic markers on the dark web.

This example of a “credential stuffing” attack – a tactic in which hackers use a stolen password for one online account to access the person’s other accounts that use the same password – represents a significant cybersecurity threat for companies requiring clients, customers, or employees to use passwords. There are two reasons this problem is particularly challenging for businesses: the number of people who reuse their passwords for multiple accounts and that even the most robust cybersecurity programs may have a hard time preventing hackers from accessing an account because they are using legitimate credentials.

However, given the steep financial, legal, and reputational costs and disruptions that follow a data breach, businesses need to take affirmative steps to reduce the threat of credential stuffing and secure their customer information. 

Reused Passwords Are Like a Skeleton Key for Hackers

Think about the extent of your online life. Consider every email account, every bill you pay, every banking and credit card account, every online store, every social media site, every travel booking site, every online magazine, and all other business and personal activities you engage in on the internet. Now, think about all the passwords you must create and enter to access these accounts. According to one study, people who spent time online in 2022 had an average of 70 to 80 passwords. Keeping track of scores of passwords is cognitively and practically overwhelming for most individuals, which is why, according to one survey, 62% of people always or mostly use the same password or a variation for multiple accounts – even though they know the risk involved in password reuse. 

That risk isn’t hard to understand. A reused password is like a skeleton key for hackers or other online bad actors; once they figure out a person’s password for one site, it can open the door to all the other accounts and sites – and the valuable personal and financial information they contain – for which the person uses the same password. 

Billions of Attacks Causing Billions in Losses 

According to a recent study, over 15 billion stolen passwords and other login credentials are circulating online. This massive cache of pilfered credentials has fueled an equally massive rise in credential stuffing attacks. According to one content delivery network, there were more than 193 billion credential stuffing attacks in 2020 alone. 

These attacks are enormously costly for businesses and consumers alike. The Ponemon Institute’s Cost of Credential Stuffing report concluded that credential stuffing costs companies an average of $6 million each year in the form of lost customers, increased costs, and system downtime.

While businesses of every size in every industry are vulnerable to credential stuffing, certain sectors are particularly attractive and targeted by bad actors, most notably the financial industry. According to Security Intelligence, the financial services sector suffered $3.4 billion in losses in 2020 due to credential stuffing attacks. Other industries that find themselves in the crosshairs of such attackers include:

  • Retail.
  • Healthcare.
  • eCommerce.
  • Entertainment.
  • Energy.
  • Education.
  • Software.
  • SaaS (Security as a Service).

What Businesses Can Do To Protect Themselves and Customers From Credential Stuffing

As insidious and ubiquitous as credential stuffing attacks are, businesses can still take effective steps to prevent, detect, and remediate breaches that result from such efforts. In 2022, the New York Attorney General’s Office issued a report on credential stuffing with detailed recommendations for businesses about how to minimize and mitigate the risk of credential stuffing. These suggestions include:

  • Implementing a bot detection system.
  • Requiring multifactor authentication.
  • Using passwordless authentication.
  • Using web application firewalls.
  • Limiting customer login attempts.
  • Monitoring customer activity and reports of fraud.
  • Notifying customers of unusual account activity.

As we begin the new year, adopting proactive measures to prevent credential stuffing attacks should be on all business resolution lists. If you have questions or would like to learn more about this issue, please contact Rob Horwitz at Maddin Hauser.