Types of Cyber Attacks - Credential Stuffing
This article is linked to a series of articles about different types of Cyber Attacks. They can be viewed in the Information/Cyber Security News section of the Data Protection Education website or as part of the Information & Cyber Security Best Practice Area. Each article discusses a different type of cyber attack, steps to try to minimise the risk and guidance
Credential stuffing takes advantage of people reusing username and password combinations across different accounts.
Attackers fraudulently obtain valid combinations for one site and then use them across other sites to try and gain access to accounts. Any website that requires an online login is potentially vulnerable.
Many people re-use the same username/email password combination, when those credentials are exposed (by a database breach or phishing attack) submitting those sets of stolen credentials into many sites can allow an attacker to compromise those accounts too.
Credential stuffing is a type of brute force attack. Brute forcing will try multiple passwords against one or many accounts, guessing passwords. Credential stuffing will use specifically breached username/password pairs against other websites. It is one of the most common techniques to access user accounts because it is easy for the hacker to do and does not require any specialist skills.
Steps of an Attack
- The attacker acquires usernames and passwords from a website breach, phishing attack or password dump site.
- The attacker uses automated tools to test the stolen credentials against many websites (for instance, social media sites, online marketplaces or web apps).
- If the login is successful, the attacker knows they have a set of valid credentials.
Now the attacker knows they have access to an account. Potential next steps include:
- Draining stolen accounts of stored value or making purchases.
- Accessing sensitive information such as credit card numbers, private messages, pictures, or documents.
- Using the account to send phishing messages or spam.
- Selling known-valid credentials to one or more of the compromised sites for other attackers to use.
A most recent credential stuffing attack reported by Computing on PayPayl account users:
PayPal has reset passwords on all impacted accounts
Defence against Credential Stuffing
- Use multi-factor authentication
- Use secondary passwords, PINS and security questions
- Use CAPTCHA
- IP Address block listing
- Biometrics
- Check against leaked passwords using the site: haveibeenpawned
- Notify staff about unusual security events
What to do in the event of a Cyber Attack
Incidents or attacks where any security breaches may have taken place, or other damage was caused, should be reported to an external body.
The SLT digital lead will be responsible for assigning someone to report any suspicious cyber incidents or attacks. This person will need to report this to:
- Action Fraud on 0300 123 2040, or the Action Fraud website
- the DfE sector cyber team at
This email address is being protected from spambots. You need JavaScript enabled to view it.
You may also need to report to:
- the NCSC website if the incident or attack causes long term school closure, the closure of more than one school, or serious financial damage
- the ICO website within 72 hours, where a high risk data breach has or may have occurred
- your cyber insurance provider (if you have one), such as risk protection arrangement (RPA)
- Jisc, if you are a part of a further education institution
You must act in accordance with:
- Action Fraud guidance for reporting fraud and cyber crime
- Academy Trust Handbook Part 6, if you are part of an academy trust
- ICO requirements for reporting personal data breaches
Police investigations may find out if any compromised data has been published or sold and identify the perpetrator.
Preserving evidence is as important as recovering from the crime.
Forward suspicious emails to