Credential Stuffing Attacks

Abstract image representing online security

How’s everyone enjoying Disney+? Have you caught both episodes of The Mandalorian yet? Maybe binge-watched all of the MCU movies again?

And did you hear that Disney+, barely a week old at the time of this writing, has already been hacked? (I know, what took so long?)

Hackers appear to have acquired thousands of valid Disney+ account usernames and passwords and posted them to the “Dark Web”: websites that allow unscrupulous buyers to purchase other people’s personal information, including account usernames and passwords.

So how did this happen? It’s time to meet a brute force attack’s lesser-known—but potentially more dangerous—cousin, “credential stuffing”.

What Is Credential Stuffing?

One of the likely culprits in this Disney+ breach is a technique known as credential stuffing. Think of it as a brute force attack, but in reverse: A hacker has a valid username and password of one of a victim’s Internet accounts, and then attempts to use that same combination across a variety of other Internet services. How this differs from a brute force attack is that, unlike a brute force attack (where the hacker uses automated tools to try and guess their way into one particular system using a variety of generated usernames and passwords), the hacker knows that the username and password they have is valid on at least one service, and is betting that you’ve reused that same combination elsewhere.

So if somehow a hacker had your Netflix username and password, they might try it against Disney+, Amazon, Hulu, or even various bank websites. Since so many services use your primary email address as the username (and that is an option for WordPress sites as well), hackers already potentially know half of your login credentials. The trick is to not let them know the other half.

How To Protect Yourself and Your WordPress Site

Good security habits with every online service you have access to are important to keep all of your Internet properties safe. Therefore, you should follow all of the following guidelines to protect your streaming services, your bank account, and, yes, even your WordPress site safe from hackers:

  • Always use unique, nonsensical passwords that are different for every Internet site you have an account with. If you can remember your password, it’s likely not secure enough.
  • Store those passwords in a reputable password manager such as 1Password or LastPass. Burn the password for your password manager into your brain, and never write it down anywhere.
  • Where possible, use different usernames for each service as well, even if the username is your email address. Gmail, for example, will ignore any characters in an email address that come after a plus (“+”) sign. So your email address for Netflix could be “johndoe+netflix@gmail.com”, for Disney+ it could be “johndoe+disney@gmail.com”, and for your WordPress site it could be “johndoe+wp@gmail.com”, and all the emails for those services will go to the same Gmail inbox. Yet for the purposes of logging into those services, all of those usernames will be unique. Better yet, don’t use the service name in the email address; use something nonsensical instead, like “johndoe+21c60@gmail.com” instead. You’re storing this in a password manager anyway, right?
  • Change your passwords frequently. Four times a year, change the passwords for a quarter of your accounts, so none of them are ever more than a year old.
  • Use two-factor authentication wherever possible, including on your self-hosted WordPress site.
  • Periodically check if any of your accounts have been hacked by running your email address through Have I Been Pwned? This service checks your email address for matches with services involved in data breaches, including those which don’t necessarily make the news.
  • Never use “admin” as an account username on your WordPress site. (This is more of a protection against brute force attacks than credential stuffing attacks, but it is still sound advice, and one I always include on these lists.)
  • Only grant the privileges your WordPress site’s users actually need. Don’t just make everyone an “administrator” if all they will be doing is adding content. That way if someone does gain access to an account, you’re limiting the damage they can potentially inflict.
  • Always run your WordPress over HTTPS, so that it’s harder for hackers to “sniff” traffic to your website, searching for usernames and passwords being sent over plain text.
  • When using public wi-fi, always use a reputable VPN service to encrypt the traffic directly at your computer, to make it harder for nefarious actors on the same wi-fi network from seeing your computer’s traffic before it even leaves the network.

Stay Vigilant

Security is a never-ending road. It’s a journey, not a destination. It’s a practice that should become part of your daily Internet hygiene, like brushing your teeth.

While you can’t control what companies do with your information or how well they protect it, you can—by following the steps listed above—take action to prevent any major breach from adversely effecting your entire digital world.


Not sure how secure your WordPress site is? Sign up for our maintenance plan and we’ll take care of the security for you, including:

  • daily security scans
  • geographically limiting access to your site’s administration
  • protection against brute force attacks
  • two-factor authentication

Leave a Reply

Your email address will not be published.