Article Details

Credential stuffing: £2.31 million fine shows passwords are still the weakest link. How recycled passwords and poor security habits are fueling a cybercrime gold rush. Partner Content If you're still using "password123" for more than one account, there's a good chance you've already exposed yourself to credential stuffing attacks — one of the most prevalent and damaging forms of automated cybercrime today. Just ask the 6.9 million users of 23andMe who discovered their personal details were compromised when cybercriminals used recycled credentials from other breaches to infiltrate their accounts. The consequences extended far beyond the initial breach. In 2025, 23andMe received a  £2.31 million regulatory fine  from the UK's Information Commissioner's Office. A costly lesson in the dangers of weak password habits. But what is credential stuffing, really? Credential stuffing is a systematic attack method where threat actors use stolen username and password combinations from previous data breaches to gain unauthorized access to user accounts across different platforms. Strip away the fancy terminology and it's just cybercriminals playing "guess who?" with your login details. Threat actors use automated tools to try huge lists of stolen credentials (think: email/password combos) across multiple websites. The goal? Find out where else those credentials work, and crack open accounts for identity theft, fraud, or just plain chaos. It's not brute force. It's credential recycling on a massive scale, using stolen usernames and passwords from one breach to break into dozens of other accounts. The domino effect: from 14,000 to 6.9 million The hacker behind the 23andMe breach operating under the alias "Golem" exploited the widespread practice of password reuse across multiple platforms. A critical factor enabling the attack's success was 23andMe's lack of rate limiting in their login API, which allowed attackers to make unlimited login attempts without triggering security mechanisms. By automating login attempts with stolen credentials, Golem was able to compromise around 14,000 accounts directly. However, the real damage came from the interconnected nature of 23andMe's DNA Relatives and Family Tree features. Once inside these accounts, the attacker could access sensitive data of users linked through shared genetic information, leading to the exposure of approximately 5.5 million DNA Relatives profiles and 1.4 million Family Tree profiles. This incident highlights how weak authentication and networked data-sharing can rapidly amplify the consequences of credential stuffing attacks. The mechanics of credential stuffing The attack vector is straightforward: when users reuse passwords across multiple services, a single data breach can compromise their entire ecosystem. Criminals acquire databases containing millions of leaked credentials from previous security incidents, then systematically attempt these login combinations across banking platforms, email services, social media, and corporate systems. The scale of these operations is significant. Automated bots can test millions of credential combinations per minute across multiple targets, making manual detection and prevention challenging. Credential stuffing vs brute force and credential harvesting Let's get our terms straight. Credential harvesting is the act of collecting login details — through phishing, malware, or data breaches. Credential stuffing is what happens next. Attackers use those harvested credentials en masse to break into other accounts. So, harvesting is the "shopping," stuffing is the "checkout." And unlike brute force attacks (where hackers try every possible password), credential stuffing bets on human laziness — reuse of the same passwords everywhere. The risks of credential stuffing Credential stuffing might seem like a simple attack, but its consequences ripple far beyond a single compromised account. Credential stuffing is the slow drip torture of cybersecurity. These automated attacks exploit password reuse, testing stolen credentials against legitimate services at massive scale. The UK sees thousands of these attacks every year, targeting everything from retail and banking to government portals. How to detect credential stuffing Here are some key indicators and methods to identify such attacks: By using these methods, organizations can detect and address credential stuffing attacks proactively. Cyber attack prevention strategies Threat intelligence is marketed as a cure-all but often falls short, proving too slow or too noisy to detect real threats. Despite investments in firewalls, SIEMs, and AI tools, basic security practices are still overlooked. Here's your essential checklist: The real fix? Stop reusing passwords. Educate users. Enforce strong password policies. Monitor for suspicious logins. Deploy proper bot defenses, and use a reliable password manager. Passwork: closing the door on credential stuffing Most password managers promise security, but end up buried under clunky interfaces and forgotten master passwords. Passwork flips the script. Instead of adding friction, it makes strong password hygiene effortless. How does Passwork help? Credential stuffing thrives on password reuse and weak credentials. Passwork eliminates both. It generates complex, unique passwords for every account and stores them securely, so you never have to recycle or remember them. Why is Passwork different? It's designed for actual humans, not just security experts. The interface is intuitive. Users aren't punished for doing the right thing. Unique, strong passwords for every account become the default. And because Passwork makes it easy, users don't forget to update passwords or fall back on lazy habits. Advantages Passwork brings to the table: Passwork  closes that gap, making security simple and efficient. It offers an on-premise password management solution, enabling organizations to maintain complete control over the storage and handling of sensitive information. Passwork is ISO 27001 certified and tested by HackerOne. For organizations that take security seriously, choosing a password manager with proven compliance and independent verification is essential. Conclusion Credential stuffing attacks remain one of the most pervasive and damaging threats to organizational security, thriving on password reuse and inadequate access controls. These attacks are automated, persistent, and often go undetected until the damage is done. Traditional security measures provide only partial protection against the scale and sophistication of these threats. If your organization is ready to take ownership of its security posture and move beyond reactive measures, Passwork delivers the reliability, transparency, and control needed to defend against today's credential-based threats. Discover more about Passwork at  passwork.pro . Contributed by Passwork.