Leaked Passwords and Credential Stuffing: How Your Accounts Are Taken Over After a Data Breach

Quick answer: Every year many sites and services suffer a data breach and users' email and password information ends up in attackers' hands. This leaked information circulates on the internet and the dark web in large lists. The real danger starts here, because most people use the same password in more than one place. Attackers take the email and password pairs leaked from one site with automated tools and try them one by one on other sites (bank, email, social media), this is called credential stuffing. When they find a match they get into your account. So your password leaked in one place threatens every place you used the same password. The way to protect yourself is three steps, using a unique password on every account (with a password manager), turning on two factor authentication (2FA), and where possible moving to passkey technology that replaces the password.

Most people think security is choosing one strong password, but the real problem is not the strength of the password but reusing the same password. We covered the general framework of password, two factor authentication and passkey security in password, 2FA and passkey security, NIST and FIDO. This article focuses specifically on how leaked passwords and the credential stuffing attack work, that is how accounts are actually taken over.

Where and how passwords leak

The source of leaked passwords is often not a mistake of yours. A site or service you signed up to suffers a data breach, and the user information (email, password) in that site's database ends up in attackers' hands. These breaches happen constantly, from small forums to large platforms.

This leaked information does not disappear. Attackers collect it, combine it and share or sell it on the internet in large lists. Today billions of leaked email and password pairs are in circulation. There are services where you can check whether your email address has appeared in a breach before, and most people are surprised to find their address in more than one breach when they check it.

Credential stuffing, how the attack works

A leaked list is dangerous on its own, but the real damage comes with credential stuffing. The attacker knows this, people are lazy and use the same password in many places. So they take the email and password pairs leaked from one site and try them on other sites with automated tools.

This trying is done not by hand but with bots that can make thousands of attempts per second. The bot automatically tries the leaked list on a bank login page, an email service, social media and an e-commerce site. If you used the same password there too, the bot gets in and your account is taken over. This attack is cheap and scales, because the attacker tries not one person but millions of pairs at once.

Stage What happens
Breach A site is breached, emails and passwords are stolen
Collection Leaked information is combined into lists, circulates on the dark web
Stuffing Bots try these pairs automatically on other sites
Takeover Accounts where you used the same password are entered
Exploitation Fraud, data theft, identity theft, ransom

We covered how a compromised account is forensically examined and recovered in account takeover.

Why a strong password alone is not enough

Most people choose a complex password they think is secure, but then use it in ten different places. The problem is, if that password leaks from any one of the ten places, the other nine are endangered too. So the complexity of the password means nothing when it is reused.

This is why the modern security recommendation has changed. The main emphasis now is not changing the password often or making it overly complex, but using a unique password on every account. NIST's current password guidance is also in this direction, length and uniqueness are more important than unnecessary complexity rules.

The three steps of protection

1. A unique password on every account, with a password manager. Remembering dozens of different and strong passwords is impossible, so use a password manager. A password manager generates and stores a different, long and random password for each account, and you only remember a single master password. So even if a site is breached, that password works nowhere else.

2. Two factor authentication (2FA). When you add two factor authentication to an account, even if the attacker knows your password they cannot get in without the second step (a code on your phone or an app approval). This alone stops the vast majority of credential stuffing attacks. It should absolutely be on, especially on email, bank and work accounts.

3. Passkey, the future of the password. A passkey is a cryptographic, phishing resistant login method that replaces the password. With a passkey there is no password to leak, because login is done with a key on your device and this key is never sent to any server. Moving to this method on every service that supports passkeys makes credential stuffing completely ineffective.

What it means for a business

Credential stuffing hits not only individuals but businesses too. If your employees reuse passwords from their personal lives on work accounts, when that password leaks somewhere your company systems come under risk. So in a corporate environment mandatory two factor authentication, a password manager and leaked password monitoring are important. If a customer account is taken over and personal data leaks, this is a breach under KVKK, see KVKK data breach notification, 72 hours. We covered the general framework of internal defense in how to prevent an internal cyber attack.

Frequently Asked Questions

My password is strong, am I still at risk? Yes, if you use that password in more than one place. Even a strong password, if it leaks in one place, endangers all accounts where you used the same password. What matters is not strength but uniqueness.

How do I find out whether my email has leaked? There are services that check whether your email address has appeared in known data breaches. If your address appears, immediately change the passwords you used on those accounts and turn on two factor authentication.

Does two factor authentication completely stop credential stuffing? It stops the vast majority, because even if the attacker knows the password they cannot get in without the second step. The strongest protection is using passkeys, because then there is no password left to leak.

Is a password manager safe? Yes, a good password manager stores your data with strong encryption and lets you generate a unique password for each account. Provided you choose a strong master password and turn on two factor authentication on the password manager, it is far safer than using weak passwords one by one.

Sources

To audit whether leaked passwords threaten your accounts or company and to set up strong authentication, contact DSET.