Protect Yourself: How Cybercriminals Exploit Stolen Credentials—and What You Can Do About It.

When usernames and passwords are leaked or stolen (through data breaches, phishing, or malware), cybercriminals don’t just try them once—they launch automated, widespread attacks to see where else those credentials might work. 

This tactic is called credential stuffing, and it’s one of the most common ways accounts are hijacked today.
Side note: Here at RealTime we monitor MS 365 tenants and we see thousands of credential stuffing attempts every day from all over the planet.

Learn How Credential Stuffing Works Step-by-Step:

1. Criminals Obtain a Credential “Dump.”

They grab huge databases of stolen credentials from:

• Public breaches (e.g., LinkedIn, LinkedIn, LinkedIn, Dropbox, Facebook, Canva)

• Dark web marketplaces

• Paste sites (e.g., Pastebin)

• Telegram groups or hacking forums

Example: The "Collection #1" dump from 2019 included 1.2 billion unique emails and passwords. Just last month the news reported that 16 Billion passwords had been leaked, although most were probably just recycled from prior dumps.

2. They Load the Data into a Tool.

You didn’t think they sat there and types in the username and passwords one at a time, did you?

They use automated tools (like Sentry MBA, Snipr, OpenBullet, or custom scripts) to test credentials at scale.

These tools:

• Simulate logins to targeted websites (top 100 or 1000 like Facebook, Amazon, Netflix, Disney, LinkedIn, Outlook, Yahoo, and all the one’s you’ve heard of)

• To hide their tracks, they use proxies and rotate IPs to avoid detection so the traffic looks like it’s coming from all over the globe.

• Can test thousands of logins per minute.

3. They Target Popular Services with their tools that allow automated logins to specific sites:

 • Email providers (Gmail, Outlook, and Yahoo) are especially popular

• Streaming services (Netflix, Spotify, Disney, ESPN+) Then they sell access online – you can buy a year of Netflix for $20.

• Online retailers (Amazon, Walmart)

• Banks and crypto exchanges

• Social media (Instagram, Facebook, Instagram, TikTok)

• Gaming platforms (Steam, PlayStation, Xbox)

4. They Test the Credentials.

If any combination works on a target site, the tool flags it as a valid hit.

Criminals then:

• Log in and take over the account

• Sell the working login on a dark market

• Use it for identity theft, fraud, or money laundering

Real-World Examples:

• Credential Stuffing on Zoom: In 2020, over 500,000 Zoom accounts were found for sale after being tested using credentials leaked from other breaches.

https://www.bleepingcomputer.com/news/security/over-500-000-zoom-accounts-sold-on-hacker-forums-the-dark-web/

• Spotify & Disney+ Streaming platforms are constant targets.
Criminals test logins from previous breaches, take over accounts, and resell them on the cheap (e.g., "$1 for Disney+").

• Banking & Crypto.
Working banking or crypto logins are especially valuable. Attackers use credential stuffing to get into wallets and financial accounts and move funds quickly.

Why does credential stuffing work so well?

1. Password reuse: a tale as old as time itself. People reuse the same password across many sites.

2. Low cost: Credential stuffing tools are cheap, and computing power is easy to rent.

3. Low Risk, High reward: Even a 1% success rate on a million logins = 10,000 accounts compromised. Doesn’t hurt that cybercriminals are rarely caught, let alone prosecuted. 

How do you defend against this?

Simple. Follow our password guidelines here Good Password Blog

SUMMARY:

• Use unique passwords for every site (password managers make this easy).

• Enable MFA (multi-factor authentication) to stop attackers even if they have your password.

• Monitor your credentials at Have I Been Pwned.

• Look for suspicious activity: Failed login alerts, password reset emails, new logins from unfamiliar locations.

 BUSINESSES NEED TO BE A PART OF THE SOLUTION

 • Use CAPTCHA, rate-limiting, and IP reputation filtering

• Monitor for credential stuffing patterns (lots of failed logins)

• Implement bot detection tools (e.g., Cloudflare Bot Management)

 -END-

Strong passwords make digital life harder for hackers and safer for you.

Your passwords are the first line of defense for your online accounts. Here are some tips on how to create a great password.

1. Make It Long, at least 16 characters long - more is better. I’ll often use 22, 30, even 60+ character passwords.

2. Make It Complex

An example of a complex password would be: %0YHVJ5apvbhOplYzJ8QVW

• UPPER and lower case letters;

• Numbers; and

• Symbols (like % ! # @)

3. Passphrases work great, too.

An example of a passphrase password would be: Palfr!esmantisbees4
(This passphrase means: Pal fr!es mantis bees 4 — easier to remember and type, still super strong)

4. Make It Unique.
If you only take away one lesson, make it this one. Make your password unique and never reuse passwords. If one site is hacked, you’ll only need to change that single password. Same password everywhere? How many sites would you need to reset that password on?

See our blog post on what bad guys do with all those stolen credentials. You’ll see why #3 is vital to make a habit of. How Cybercriminals Use Stolen Credentials

5. Use a Password Manager

Store your passwords in a secure app. Trusted ones (as of now anyway) include:

• 1Password

• Bitwarden

• LastPass

• NordPass

• Apple’s built-in Passwords app (great on iPhones/Macs.)

• Avoid sketchy or unknown free ones!

6. Enable Multi-Factor Authentication (MFA)

Add extra security with an authenticator app, examples: Google Authenticator, Microsoft Authenticator, Authy, DUO Authenticator just to name a few. Many Password Managers will also act as an authenticator.

*If you don’t use an aethentnicaor app, SMS/Text is better than nothing, but app-based MFA is much safer and more convenient.

-END-

As Tax Day in the U.S. approaches, Microsoft has observed a surge in phishing campaigns leveraging tax-related themes to steal credentials and deploy malware. These campaigns utilize various redirection techniques—such as URL shorteners, QR codes in attachments, and legitimate services like file-hosting platforms and business profile pages—to evade detection. Microsoft identified that many of these phishing operations lead to payloads.

Several evil campaigns have been launched since February 2025 targeting U.S. users with tax-themed emails that used PDF attachments with embedded redirect links that eventually led to fake DocuSign pages. Scary!

These campaigns highlight the continued effectiveness of social engineering during seasonal events like tax season. Threat actors are increasingly using multilayered approaches—combining social trust-building, obfuscated file attachments, redirect chains, and abuse of legitimate platforms—to bypass detection and increase user interaction.

Remain vigilant looking for suspect emails and question everything!

WHAT CAN I DO TO PROTECT MYSELF?

• Protect your personal and business information on social media. Stop oversharing and be certain MFA is turned on.

• Filter unsolicited communication and identify lure links in phishing emails.

• Use multifactor authentication (MFA) on all accounts on all devices in all locations at all times.

• Use Microsoft Edge to identify and block malicious websites including phishing sites, scam sites, and sites that contain exploits and host malware.

• Use the browser URL navigator to validate that upon clicking a link in search results they have arrived at an expected legitimate domain.

STOP! DO NOT GIVE THEM YOUR MONEY!

Cybercriminals love AI. A new deepfake scam is spreading on social media. Many people have lost millions to it. Here are the details to help you avoid becoming a victim.

I HATE TO BREAK IT TO YOU…IT’S NOT ELON.

The tactic is called Nomani (yeah, that’s “no money”) and combines AI video, malicious ads on social media and email phishing. It started spiking May 2024 and grew 335% by the second half of the year. From May to November, ESET Cybersecurity says they blocked about 100 new scam URLs a day, adding up to 8,500 sites.

The video features a celebrity or politician (think Elon Musk, etc.) promoting a cryptocurrency investment on social media platforms like YouTube or Facebook. These videos may look like news segments or exclusive interviews and often involve a recognizable figure. The accounts sharing this content usually have many followers and use eye-catching graphics to attract viewers, claiming huge profits with no risk. If you click on their websites, you might just be sharing your information with a scam artist. In the worst case, the site could contain malware that steals your money or personal information.

IT GETS NASTIER…

Most of these tricks end with an “investment manager” calling to walk you through the process of transferring all your hard-earned money right to them. They pretend they’re helping you put it into a crypto investment account. Nope.

If you’ve already fallen for Nomani, you’re at even more risk. Scammers are going after victims a second time, pretending to be law enforcement trying to help recover your lost funds. Just awful.

KNOW THE RED FLAGS

Even if you think, “This could never happen to me,” read this list and store these tidbits away. They could save you someday.

• Hey, that’s blurry: Deepfake videos are often in low resolution to hide glitches. If your internet connection is just fine and other videos are clear, move on.

• What if the video quality is OK? Look for strange speech patterns, unnatural breathing, poorly synced audio and video, jerky body movements, and robotic-sounding dialogue.

• Don’t click: They want to get you off social media and over to their website to plant malware. Solid antivirus software can spy malware tricks you can’t.

• High pressure: If an ad says you can double your money by doing nothing, your scam radar should be going off!! No legitimate investment opportunity is urgent. When they pull out the pressure tactics, move on.

No matter the form, get-rich-quick schemes end one way: With less money and more regret than you started with. You have to be smart!

SCAM ONE: FAKE SHIPPING NOTICES

With more and more people engaging in online shopping, fake shipping notices can be increasingly difficult for consumers to identify. These deceptive messages often arrive through various channels, including text messages and emails, making them particularly aggravating and challenging to recognize. This type of scam is particularly effective during the holiday season when so many individuals are eagerly awaiting their deliveries. However, if you pay close attention and observe the details, you will notice that they all tend to follow the same predictable script. Here are signs of a fake shipping scam:

• Generates a Sense of Urgency

  • Usually they will tell you your package is delayed (for some reason) and offers the opportunity to take care of it by clicking the link that they have helpfully included in their message. Here is an example (minus their scam website) I pulled off my phone: U.S. Customs: You have a USPS parcel being cleared, due to the detection of an invalid zip code address, the parcel can not be cleared, the parcel is temporarily detained, please confirm the zip code address information in the link within 24 hours.

• Unsolicited Message

  • If you have ordered items for the Holidays, you may worry that this text/email might be a legitimate notice of failed delivery. However, stop and do not click the link. Instead, check with the place you ordered the product from directly and check shipping status with them. Don’t engage w/ the unsolicited message.

• Threat of some “bad outcome” if you do nothing.

• Putting a time limit, trying to force you to act quickly.

• The web address is usually a random looking that doesn’t match the sender.

SCAM TWO: GIFT CARD SCAMS

This one is easy! Anyone emailing or texting you to buy gift cards and send them the numbers off the back of the card is scamming you. Guaranteed. More info from the FTC: https://consumer.ftc.gov/articles/avoiding-and-reporting-gift-card-scams

SCAM THREE: SOCIAL MEDIA ADS

Finally, my least favorite category of online content: the ever-popular misleading social media ads. We’ve all seen thousands of these ads to the point where I truly hope we’ve developed a certain immunity to their allure, but there must be people out there who are still clicking on these enticing offers. An honorable mention in this realm would certainly be Wish, Temu, and Shein. The only guarantees with these platforms seem to be that what you see in their advertisements is often not what you actually end up receiving.

FOR MORE INFORMATION ON SCAMS, VISIT THE FTC LINKS BELOW:

https://consumer.ftc.gov/consumer-alerts/2023/12/fake-shipping-notification-emails-and-text-messages-what-you-need-know-holiday-season

https://consumer.ftc.gov/articles/avoiding-and-reporting-gift-card-scams