But credential stuffing is also the perfect real-world illustration of why people are so often told not to reuse passwords.
Imagine you sign up to an online service using a particular combination of email and password, and then that service is compromised. Your credentials may end up in a huge collection on the dark web with billions of others, sold fairly cheaply. Now, that service may not have any important data about you. But, if you use that same password elsewhere, it could lead to significant trouble.
Loading
Crooks will load those billions of credentials into an automated system that throws them rapid-fire at services that do have important info, such as financial services. Those services should absolutely have protections against this. If they start getting thousands of different login requests from the same IP address, or several login attempts on the same account from different IP addresses, that should be flagged. Hunt and others have also created protocols that can check passwords to see if they’ve been caught up in a breach, and many companies use these so they can prompt users to change passwords before an attack occurs.
But an ironclad way to avoid being a victim of credential stuffing is to not reuse passwords, and particularly to have a unique password for any service that holds your money or sensitive data. There are many password managers that will keep all your unique passwords safe and encrypted, and some also integrate the technology that can tell you if one of your passwords has been found in data sold on the dark web, so you can change it.
Gaps in security
That said, security cannot be left to end users alone. And the pressure on the sector to tighten up its practices is warranted.
“Basic multi-factor authentication can stop attackers in their tracks, even if they have the correct password. Some super funds have this in place, but incredibly, not all of them do,” said David Sandell, chief executive of critical infrastructure threat analysis centre CI-ISAC.
Loading
“There have been plenty of examples of not implementing MFA leading to catastrophic results, such as the British Library attack of 2023. In 2025, that’s simply not good enough. There are also ways to proactively monitor whether customer passwords are weak, or have appeared in data breaches. It would appear this also did not happen.”
So, let’s imagine a future where all funds do offer MFA, and even require it. And let’s imagine they monitor for passwords detected in previous breaches. This all adds a little bit of friction and annoyance for end users because they need to go through an extra step every time they log in, and it can also be a barrier for those without mobile phones. Answers to so-called MFA fatigue include passkeys stored on devices and biometrics such as Face ID and fingerprint, but these may not be available to all users. Still, it’s less annoying than losing your retirement savings.
So what happens then? Do these kinds of attacks go away? Obviously not. Crooks have developed and scaled tools that test systems to find weaknesses such as password resets or even to intercept emails and SMS messages to bypass MFA. Then, of course, there’s generative AI.
“Even well-secured systems can be vulnerable if attackers use advanced techniques like AI-driven bots that mimic human behaviour to bypass security checks. This is why both institutions and consumers need to take an active role in protecting their accounts,” said Mark Gorrie, Australia-Pacific managing director for security software company Norton.
“These attacks are becoming more targeted with the availability of data to profile users on services used and other identity information. AI can also help cybercriminals generate more convincing phishing emails and text messages, to trick people into revealing their credentials.”
But Hunt said the rise of AI in cybersecurity wasn’t all bad.
“The scope of AI is so broad that it’s going to be used more and more to look for things like vulnerabilities, or to imply certain things about the security posture of a service that would otherwise take us quite some time to figure out,” he said.
“We have AI as the good guys as well. So we should be able to be better than ever at identifying anomalous behaviour.”
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.