Credential stuffing what is it?

A long time ago, when the internet was hitting its teen years, some vast names online and traditional brands got hit up by some hacker types. These bandits stole much of their user's data, and knowing that other bandits would pay a handsome price for the booty, they sold off chunks of this data to the highest bidder.

The buyers and the original hackers would then use the data to try and gain access to user accounts across the internet. Not just on the sites that were breached but also on other domains, Working under the persuasive and well-known assumption that users mostly use the same credentials on many sites.

These breached usernames and password haul contained millions and millions of combinations. No self-respecting bandit would be trying to compromise sites manually, entering each username and password to see if they work. They would create some automated way of doing this using the tools found in any decent hackers toolkit or half-decent programmer. So this computerised practice of injecting username and password pairs to gain access to a user's accounts became known as credential stuffing.

Eventually, those treasure troves, including emails, passwords, and in some cases, more sensitive information, found their way into many people's hands.

Listen to Rework Podcast on Credential Stuffing

There is a great podcast that describes how the Basecamp security team handled the attack on their services Listen here