Credential Stuffing (also known as Attack Takeover – ATO); is an automated brute force hacking technique where an attacker uses scripts to try to gain access to a website/service/database, using data gathered from historic data breaches and custom built word lists.

Hackers are continually searching for or buying login information with decrypted passwords from data breaches. The reason that this attack is so successful is because the chances of general internet users reusing the same poor quality passwords across multiple websites and services are very high, as you can see here.



Once they identify a target, hackers will use tools like Snipr, Sentry MBA or STORM to fire the credential combinations in a very high frequency, automated bulk attack. Once they discover successful login combinations, they can then take over the account and control use those services – allowing them to pretend to be that person and access any stored credit card numbers and other personal information.



The best safeguard against credential stuffing/ATO attacks is relatively simple – use strong unique passwords (ideally generated by and stored in) a good password manager; and to deploy Two-Factor Authentication (2FA) on all accounts that facilitate the capability.