Credential stuffing is when stolen usernames and passwords (also knows as "credentials") are automatically inserted into website login forms, in order for fraudsters gain access to user accounts.

Steps of a Credential Stuffing Attack:

View the steps in's infographic (Related Actions).

Provided by OWASP (Open Web Application Security Project®):

  1. The attacker acquires usernames and passwords from a website breach,  phishing attack, or password dump site.
  2. The attacker uses automated tools to test the stolen credentials against many websites (for instance, social media sites, online marketplaces, or web apps).
  3. If the login is successful, the attacker knows they have a set of valid credentials.
  4. Now the attacker knows they have access to an account. 

Potential next steps by the attacker:

  • Draining stolen accounts of stored value or making purchases.
  • Accessing sensitive information such as credit card numbers, private messages, pictures, or documents.
  • Using the account to send phishing messages or spam.
  • Selling known-valid credentials to one or more of the compromised sites for other attackers to use.

How to Prevent:

  1. Use Multifactor Authentication.
  2. Create secure, unique passwords for various accounts.
  3. Use biometric authentication when available.
  4. Do not share your credentials.

If you believe your credentials may be known by others, or your account has been hacked, report as soon as possible. For your WPI account, email or use the Request Help button on this page