YOU MAY HAVE noticed this happening more and more lately: Online accounts get taken over in droves, but the companies insist that their systems haven’t been compromised. It’s maddening, but in many cases, technically they’re right. The real culprit is a hacker technique known as “credential stuffing.”
The strategy is pretty straightforward. Attackers take a massive trove of usernames and passwords (often from a corporate megabreach) and try to “stuff” those credentials into the login page of other digital services. Because people often reuse the same username and password across multiple sites, attackers can often use one piece of credential info to unlock multiple accounts. In the last few weeks alone, Nest, Dunkin’ Donuts, OkCupid, and the video platform DailyMotion have all seen their users fall victim to credential stuffing.