Credential stuffing

How many times have you reused a username and password combination for an online login?

If you’re like many, you recycle username and password information for everything from your online banking to your most recent retail shopping spree.

What you likely don’t know is that this method may put your accounts at risk through a fraudulent activity called credential stuffing.

What is credential stuffing?

In short, an attacker will use a bot, or a software application that runs automated tasks over the Internet, to randomly submit username and password combinations from previous data breaches into financial institution login pages with the aim of fraudulently gaining access to an account. The attacker is hoping that some of the users with compromised data used the same credentials for another account.


For example, let’s say you use the same login credentials for an online gaming account as you do for online banking. Should the online gaming site’s security be breached, hackers now have a known username and password that they can plug into an array of financial or otherwise high-risk or high security sites.

From a purely statistical standpoint, the success rate of credential stuffing is relatively low, around 0.1%*, but since the process can be done in bulk, trying many username and password combinations in a short period of time, the practice can be very lucrative for attackers.

How could it impact you?

If you become a target of a credential stuffing attack, you’ll most likely receive some type of security alert or notification of a locked account due to too many password-username combination attempts. If you ever get a notification of a login attempt on your United Community Bank account that you did not make, contact us immediately and change your password.

If an attacker happens to gain access to your account through credential stuffing, they could gain access to your sensitive financial information. It is important to get in touch with us as quickly as possible.

What should you do to minimize risk?

The most effective way to guard yourself and your account against credential stuffing efforts is to create unique usernames and passwords for each of your online accounts. This will ensure that, should an attacker gain access to login information for one online account you hold, your other accounts will remain inaccessible.

Helpful hint: Try mixing up your username by adding capital letters, numbers or other special characters that make it harder for hackers to guess. If your name is Jane Doe and you were born in 1976, a hacker very possibly might guess Jane_Doe76, but they’re unlikely to guess J@nE_L0ves_├žat$. Pair that with a complex password and your chances of falling victim to credential stuffing plummets.

When possible, opt for a two-factor authentication login. This will ensure your account remains unbreached even if an attacker does manage to gain access to your login credentials.

You can read more password tips to keep hackers and attackers a bay here.

Questions? Concerns? We’re here to help.

If you think you’re the victim of fraud or think someone is attempting to access your personal financial information, contact us immediately. We will help you take the best next steps.