In a credential stuffing attack, cybercriminals turn to the dark web to purchase previously stolen usernames and passwords. They then make repeated attempts with automated tools to “stuff” the login fields of other websites with the credentials to gain access to accounts held by corporate users or customers. When a “stuffing” attempt is successful, the attacker uses the account for fraudulent purposes. There’s typically a 1 to 2 percent success rate, which means that if a cybercriminal purchases 1 million stolen credential records (for sale on the dark web for fractions of a cent each), they can generally gain access to 10,000 to 20,000 accounts.
These attacks wouldn’t be successful if people used different usernames and passwords for each site or application they access. Instead of taking the time and energy to craft unique credentials for each of their many accounts, nearly three out of four users reuse and recycle credentials across accounts.