After recently covering the cyber attack on Nando’s, a deeper look into what credential stuffing actually is may be needed.


Monday, November 2nd, 2020

Welcome back to a new week! Halloween is over, and the world now shifts their attention to Christmas. 

In a parallel sense, last week, CPG covered the cyber attack on Nando’s. But, here at CPG, we’re not quite ready to jump to the next topic. 

The attack on Nando’s appeared to be a credential stuffing attack. And while CPG covered the attack in relation to the restaurant chain, I wanted to dive deeper into the topic, and really elaborate on the subject. 

Let’s get into the topic of credential stuffing attacks!


How it Works

To begin, let’s look at the actual definition of credential stuffing. 

“Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts” (via

To elaborate, attackers repeatedly try a variety of credentials in order to gain access to an account. The credentials used in this type of attack include a combination of and email/username and a password. 

Further, this type of attack may also include a brute force element. This would aid the attack in the area of repeatedly entering the credentials over and over until access is granted. 

Overall, the functionality of the attack is fairly straightforward. Now, let’s take a look at the goal of this type of attack.


Goal of the Attack

Continuing on in the breakdown of credential stuffing attacks, we will now be reviewing the goal of this type of attack. 

To start, the short and simple explanation of this attack is to gain access to the target account. Nowadays, many people have personal and or payment information linked to their account. Both of which are quite valuable to an attacker. 

Like in the Nando’s attack, the hijackers made many fraudulent purchases on the victim accounts. Sometimes the attackers just want to prove their skill and ability to hack an account. Other times, they are trying to send a message to a corporation, or just want to mess with someone. 

Further, any of the reasons for attacking an innocent account are unacceptable. But sadly, it does happen. Luckily, there are a few ways that you can prevent this type of attack from happening to you.


Prevention and Protection

In order to prevent a credential stuffing attack on your personal accounts, let’s take a look at a few proactive methods to consider. 

One, do not use the same password for all accounts. For example, if you use the same username and password combination, this essentially gives an attacker a key to your whole life. 

Because, if they learn your login for one site and it is the same for all, they are now able to get into all your accounts. 

To prevent this, users need to use different password combinations for all accounts. This will prevent a ripple login attack. 

Second, users should enable two-factor authentication on their accounts. I know it is annoying to do a double login or verification, but this may be the extra layer of defense needed to protect your information.

All in all, here at CPG we highly recommend following the tips mentioned above to protect your accounts. Hopefully after taking a deeper look at credential stuffing attacks, everyone will be more conscious of username and password combinations, and protect their accounts. 


By Taylor Ritchey