How Cybercriminals Exploit Stolen Credentials & What You Can Do About It.
Protect Yourself: How Cybercriminals Exploit Stolen Credentials—and What You Can Do About It.
When usernames and passwords are leaked or stolen (through data breaches, phishing, or malware), cybercriminals don’t just try them once—they launch automated, widespread attacks to see where else those credentials might work.
This tactic is called credential stuffing, and it’s one of the most common ways accounts are hijacked today.
Side note: Here at RealTime we monitor MS 365 tenants and we see thousands of credential stuffing attempts every day from all over the planet.
Learn How Credential Stuffing Works Step-by-Step:
1. Criminals Obtain a Credential “Dump.”
They grab huge databases of stolen credentials from:
• Public breaches (e.g., LinkedIn, LinkedIn, LinkedIn, Dropbox, Facebook, Canva)
• Dark web marketplaces
• Paste sites (e.g., Pastebin)
• Telegram groups or hacking forums
Example: The "Collection #1" dump from 2019 included 1.2 billion unique emails and passwords. Just last month the news reported that 16 Billion passwords had been leaked, although most were probably just recycled from prior dumps.
2. They Load the Data into a Tool.
You didn’t think they sat there and types in the username and passwords one at a time, did you?
They use automated tools (like Sentry MBA, Snipr, OpenBullet, or custom scripts) to test credentials at scale.
These tools:
• Simulate logins to targeted websites (top 100 or 1000 like Facebook, Amazon, Netflix, Disney, LinkedIn, Outlook, Yahoo, and all the one’s you’ve heard of)
• To hide their tracks, they use proxies and rotate IPs to avoid detection so the traffic looks like it’s coming from all over the globe.
• Can test thousands of logins per minute.
3. They Target Popular Services with their tools that allow automated logins to specific sites:
• Email providers (Gmail, Outlook, and Yahoo) are especially popular
• Streaming services (Netflix, Spotify, Disney, ESPN+) Then they sell access online – you can buy a year of Netflix for $20.
• Online retailers (Amazon, Walmart)
• Banks and crypto exchanges
• Social media (Instagram, Facebook, Instagram, TikTok)
• Gaming platforms (Steam, PlayStation, Xbox)
4. They Test the Credentials.
If any combination works on a target site, the tool flags it as a valid hit.
Criminals then:
• Log in and take over the account
• Sell the working login on a dark market
• Use it for identity theft, fraud, or money laundering
Real-World Examples:
• Credential Stuffing on Zoom: In 2020, over 500,000 Zoom accounts were found for sale after being tested using credentials leaked from other breaches.
• Spotify & Disney+ Streaming platforms are constant targets.
Criminals test logins from previous breaches, take over accounts, and resell them on the cheap (e.g., "$1 for Disney+").
• Banking & Crypto.
Working banking or crypto logins are especially valuable. Attackers use credential stuffing to get into wallets and financial accounts and move funds quickly.
Why does credential stuffing work so well?
1. Password reuse: a tale as old as time itself. People reuse the same password across many sites.
2. Low cost: Credential stuffing tools are cheap, and computing power is easy to rent.
3. Low Risk, High reward: Even a 1% success rate on a million logins = 10,000 accounts compromised. Doesn’t hurt that cybercriminals are rarely caught, let alone prosecuted.
How do you defend against this?
Simple. Follow our password guidelines here Good Password Blog
SUMMARY:
• Use unique passwords for every site (password managers make this easy).
• Enable MFA (multi-factor authentication) to stop attackers even if they have your password.
• Monitor your credentials at Have I Been Pwned.
• Look for suspicious activity: Failed login alerts, password reset emails, new logins from unfamiliar locations.
BUSINESSES NEED TO BE A PART OF THE SOLUTION
• Use CAPTCHA, rate-limiting, and IP reputation filtering
• Monitor for credential stuffing patterns (lots of failed logins)
• Implement bot detection tools (e.g., Cloudflare Bot Management)
-END-