Credential stuffing: the risk of repeating passwords and how to protect yourself

Credential stuffing is a type of cyberattack in which malicious actors use leaked usernames and passwords to log in to accounts and services other than the one that was leaked. The success of these attacks relies on the habit of reusing the same password for different accounts or services. Therefore, if a password is leaked, attackers only need to try it on other sites where the user already has an account, since if there is a match, they gain access without needing to breach the system. ESET, a leading company in proactive threat detection, analyzes what a credential stuffing attack looks like, why they’re so effective, what their consequences can be, and how to avoid them.

“Repeating passwords is like using the same key to open your house, car, office, and safe. Paying attention and managing passwords properly is as important as locking your front door. Simple habits can make a difference: avoiding password reuse, enabling two-factor authentication, and using a secure password manager are practices we need to incorporate to stay protected against this type of threat and many others,” says Camilo Gutiérrez Amaya, Head of the ESET Latin America Research Lab.

The start of a credential stuffing attack is when a cybercriminal obtains leaked credentials. These are triggered by data breaches from important and well-known companies and organizations, and involve the exposure of millions of data points.

With this sensitive information available, and using bots or automated scripts, these passwords are tested on various sites, accounts, or services (such as Netflix, Gmail, banks, social networks, among others). Thousands of logins are tested per minute.

If a match is found, the accounts are logged in. This login would be identical to that of the legitimate user, making it difficult to detect, as there is no suspicious activity, such as repeated failed attempts.

To better understand the impact of these attacks, ESET reviews two specific cases that show how credential stuffing can compromise thousands of accounts

• PayPal case: Between December 6 and 8, 2022, PayPal suffered a credential stuffing attack that compromised nearly 35,000 accounts, exposing sensitive information such as names, addresses, dates of birth, and tax identification numbers.
• Snowflake: More than 165 organizations were affected when attackers accessed Snowflake utilizando credenciales robadas mediante malware tipo infostealer. Although Snowflake’s infrastructure was not directly compromised, attackers took advantage of the lack of multi-factor authentication and the use of old passwords.

“Large data breaches are the primary way cybercriminals obtain these credentials, and they are occurring more frequently than expected,” adds the ESET specialist.

In June 2025, another example was a series of databases totaling 16 billion records that were hosted in misconfigured repositories that were left exposed and public. Although the exposure was temporary, it was enough for researchers, or anyone else, to access the data, which included username and password combinations for online services such as Google, Facebook, Meta, Apple, and other accounts.

But it wasn’t the only one of the year: in May, security researcher Jeremiah Fowler revealed the public exposure of 184 million login credentials for users’ accounts around the world. This included information from various email server providers, Apple products, Google, Facebook, Instagram, Snapchat, and Roblox, to name just the most well-known. Not only that: the records included credentials from banks and other financial institutions, healthcare platforms, and government portals from several countries.

To avoid a credential stuffing attack, ESET recommends several actions

1. Essential: Do not reuse the same password across different accounts, platforms, and services.
2. Have strong, secure, and unique passwords for each account. For this purpose, a password manager is very useful. This tool is designed to store login credentials and protect them through encryption, and also includes a dedicated feature for generating complex and strong passwords.
3. Enable doble factor de autenticación on as many accounts and services as possible. This second factor is key if a password falls into the wrong hands, as a cyberattacker won’t be able to access the accounts without it.
4. Check if passwords or login credentials have already been leaked in a data breach, and change them immediately. For example, visit the website haveibeenpwned.com.

ESET invites you to learn more about computer security by visiting: https://www.welivesecurity.com/es/.

For other useful preventive information, it is also available in Venezuela: https://www.eset.com/ve/, and its social media channels @eset_ve. Also available on Instagram (@esetla) and Facebook (ESET).

With information and main image provided by ESET and Comstat Rowland

Visit our news channel on Google News and follow us to get accurate, interesting information and stay up to date with everything. You can also see our daily content on X/Twitter and Instagram