Excerpts from the Special Report, “The Economics of Credential Stuffing Attacks and Account Takeover Fraud” by myNetWatchman.
Credential stuffing has endured because it’s ruthlessly economical.
Attackers take username/password pairs harvested from one breach — or several combined — and automate login attempts across thousands of sites. Even when only a tiny fraction succeed (think 0.00018% to 0.025%), the sheer scale turns pennies into profits and headaches into real losses for businesses. The problem persists because consumers, employees, and vendors reuse passwords, and criminals can cheaply rent botnets, proxies, and tools that mimic human behavior.
Learn more →Credential stuffing is a serious cyberattack because it’s cheap, easy to scale, and takes advantage of the common problem of people reusing passwords. Even though only a tiny fraction of these attacks succeed (0.00018% to 0.25%), the sheer number of attempts means big profits for criminals and big costs for organizations. The financial gains for attackers, combined with how these attacks work, highlight the urgent need for strong defenses.
Our latest report, “The Economics of Credential Stuffing Attacks and Account Takeover Fraud,” breaks down why these attacks are so effective and what they cost both criminals and organizations. Inside, you’ll learn about:
Learn more →In our digital-first world, passwords — combined with an email address or User ID — are the primary gatekeepers to vast amounts of sensitive data. However, for nearly every online company, this reliance on passwords as a verification and identity method presents a critical weakness, leaving them vulnerable to credential stuffing, account takeover, and ransomware attacks.
Pervasive Problems: Weak, Reused, and Leaked Passwords
A Cybernews study on billions of leaked passwords revealed that a staggering 94% are either reused or duplicated across multiple services. Many users opt for “lazy” patterns like “123456” or simple combinations of lowercase letters and digits, making them trivial targets for brute-force and dictionary attacks. Despite decades of cybersecurity education, there has been little to no progress in user behavior.
Learn more →The cybersecurity landscape is facing unprecedented challenges — and businesses are falling behind in robust, proactive defense strategies. As highlighted in the most recent Verizon report, a critical element in this environment is the pervasive threat of compromised credentials.
Verizon’s 2025 DBIR: Key Findings
- Credential abuse (22%) and exploitation of vulnerabilities (20%) are the leading initial attack vectors
- The report analyzed over 22,000 security incidents, including 12,195 confirmed data breaches
- Third-party involvement in breaches doubled to 30%, emphasizing supply chain risk
- Ransomware has risen 37% since last year, now present in 44% of breaches
- For SMBs, ransomware appears in 88% of breaches — the impact is disproportionate
Account Takeover as a Major Threat
Criminals leverage stolen email addresses, user IDs, and passwords to take control of legitimate user accounts, leading to fraud events. Compromised credentials provide attackers with the initial access needed to deploy ransomware — and beyond.
Learn more →The recent news of 23andMe filing for bankruptcy resonates deeply for anyone in fraud prevention. While reports highlight various financial struggles for the genetic testing company, the seeds of this downfall were significantly sown by the massive 2023 data breach that began with credential stuffing attacks.
What Happened
Attackers leveraged credentials compromised elsewhere — that consumers unfortunately reused on their 23andMe accounts — to expose sensitive genetic and ancestry data of over 6.9 million customers.
Learn more →In the world of online security, it’s tempting to take a rigid, unyielding stance against bad actors. Block any suspicious IP address, and bam — problem solved, right? Not quite.
“Be like water making its way through cracks. Do not be assertive, but adjust to the object, and you shall find a way around or through it.” — Bruce Lee
The Problem with IP Blocking
Many security solutions rely heavily on IP address blocking as a primary defense. While seemingly straightforward, this tactic is fraught with issues:
Learn more →Credential stuffing is a middle step in a multi-faceted process: consumer login credentials go from being compromised — through a data breach, keystroke logger malware, or phishing — to being monetized. Cybercriminals use credential stuffing to identify the compromised username/password pairs that are valid on other sites, then sell them on the dark web for fraudulent purchases, gift card theft, reward point draining, PII scraping, and ATO.
“24 hours is all it takes a sophisticated fraudster organization to steal, test, and put compromised data out on the dark web markets for sale. Experienced criminals have these steps optimized to maximize the value of the data they’ve acquired.” — Don Bush, myNetWatchman
Learn more →
Many organizations rely on myNetWatchman to protect against credential stuffing and account takeover attacks — but account security is especially critical for financial institutions (FIs). This article explores a real credential stuffing attack against a large FI, observed in real-time between June and August 2024.
It’s a High-Volume Numbers Game
Credential stuffing systematically tests exposed credential pairs to see where the same combination works elsewhere. The attack in this case study saw over 8 million unique usernames attempted in a 6-week period — not to succeed on all of them, but to identify the ones that do.
Learn more →