Skip to main content

Credential stuffing

Credential stuffing. What is it?

In a world of smart-enabled devices — smartphones, smart TVs, smart assistants, even smart cars — passwords are the most common way hackers use to compromise accounts and access personal data.

Credential stuffing is a type of cyberattack in which stolen account credentials, typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach), are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.*

In reality, this is a very simple hacker technique. Consider the scenario below:

  1. John created a special password combination consisting of uppercase and lowercase letters, numbers, and special characters. Because he does not want to remember multiple passwords, he created one that can be accepted in multiple websites.
  2. This password is then used to access his preferred websites, such as a food delivery application, the social network where he posts family photos, a podcast site, his personal email account and online banking account. It is also used to access his online banking.
  3. His favorite podcast website was compromised, and the website’s administrator is not aware of the incident. Thousands of login ID and password combinations were leaked, including John’s, and secretly traded among hackers.
  4. Hackers use these known valid login ID and password combinations and try to access multiple websites. Eventually, they successfully access John’s data included in his websites of interest: his phone number, full address, personal email and where he works. There is also a bank statement that he downloaded and sent to his email account the previous week.
  5. A week later, he receives a mysterious call from someone allegedly from the bank’s fraud prevention team, asking for a code that was sent to his cellphone. He feels something might be wrong, and decides to call the bank, discovering it was a fraud attempt.


How can I prevent credential stuffing?

Do not use the same password in different websites of personal and professional interest. Use a unique password for Cathay Bank, not equal or similar to any you use in other websites.

Whenever possible, create different passwords on websites with different contexts, especially those that may affect your finances. Banks usually require step-up authentication when an unusual transaction is detected, a new device is used or the type of activity and/or amount requested does not match the customer’s profile.

This is commonly performed with an additional code sent to the user’s cellphone. Do not provide this code to anyone; it is meant to be used on computer systems.



Cathay Bank

Email communication is not secure

Please do not include sensitive information such as account numbers or other personal information such as Social Security or Tax Identification numbers, driver’s license numbers, etc. in any email sent to us via this link.