On July 4th, many Americans barbeque, watch baseball and go to fireworks shows. In 2020, U.S. consumers added a new ritual to that list – get targeted by bad actors seeking to scam them out of their online gift card balances. For the first time ever, we tracked a significant “credential stuffing” attack leading up to and over July 4th. Cybercriminals obtained validated password and username combos from the Dark Web. The fraudsters used them for attacks across a broad range of online sites such as home goods and clothing. The authentication of an account with a valid password and username pair gave the cybercriminals unauthorized access to online gift card accounts. We believe the cybercriminals were counting on the tendency of people to reuse the same username or email and password across multiple sites, a well known cyber security flaw. They were betting that some of those accounts held significant card values. As you can see from the chart below, the patriotic holiday attracted a nasty spike of egift card bot attackers.