Credential stuffing is one of the most common techniques used to take over user accounts.

According to The Open Web Application Security Project, research shows that past Dropbox, JP Morgan, Sony and Yahoo breaches resulted from credential stuffing.

In this type of attack, the perpetrator acquires spilled usernames and passwords from a website breach or password dump site and uses an account checker to test the stolen credentials against a variety of websites. When an attempt succeeds, the attacker takes over the account matching the stolen credentials and drains stolen accounts of stored value, credit card numbers, and other personally identifiable information.

In this Credential Stuffing Prevention Cheat Sheet, OWASP recommends several steps for thwarting credential stuffing attacks, from multi-factor authentication to avoiding the use of email addresses as user ID’s.