If you need a reason not to reuse the same username and password for your online accounts (and there are many reasons), you might start by increasing your chances of avoiding a specific but very common type of cybercrime: credential stuffing attacks.

Credential stuffing is a form of brute force password attack that takes advantage of people reusing login information, or credentials, across multiple accounts.

According to Atlas VPN's 2020 report, there were approximately 3.6 million credential stuffing attacks every hour. While only a small fraction were successful, the impact was significant: credential stuffing attacks caused $6.4 billion in damage from 2015 to 2020.

So how does credential stuffing work and how can it be avoided?

In a credential stuffing attack, hackers obtain usernames and passwords that have been compromised in a data breach and begin plugging them into other websites with the goal of gaining access to insecure accounts.

Because cybercriminals try multiple credentials on multiple accounts, this method is a kind of brute force attack, amounting to a fast-paced guessing game.

The difference from a regular brute force attack is that the guessing is not completely random. Thanks to the tendency to reuse login credentials, the hacker already has the username and password. The hacker just doesn't know which account that credentials will unlock.

For example, suppose you use the same username and password for your primary email account, your online banking account, your social media account, and your shopping site account.

Now, one of these four accounts is compromised in a data breach. The hacker has credentials to log into your other accounts, which may include sensitive information such as credit card numbers, banking information, and private messages.

These bad guys only need to work hard enough, long enough, to find your other accounts.

This is where automated tools come in. These tools can hit websites with thousands of login attempts per hour. They can also make malicious login requests look legitimate, which can make it difficult to detect that such an attack is taking place.

Although the success rate of login attempts through credential stuffing is estimated to be between 0.1% and 2%, the likelihood of being victimized is not low. If an automated tool can test 100,000 sets of credentials on a single website, you can get between 100 and 2,000 accounts. You do not want your accounts to be among them.

Stolen credentials are not in short supply; the website HaveIBeenPwned can check if passwords and usernames were compromised in a data breach.

Large-scale data breaches occur regularly, affecting Facebook, T-Mobile, Microsoft, Walgreens, and many others; in 2012, everyone with a LinkedIn account had their login credentials stolen, and in 2013, everyone with a Yahoo! accounts were stolen.

The most important action you can take right now is to seriously start changing your passwords, starting right this minute. Start with the credentials you use for multiple websites and make sure your passwords are not repeated.

While you're at it, practice good password hygiene for accounts that contain sensitive personal information, starting with those that hackers might use to steal your identity or money. This includes all bank and financial accounts, all websites that store your credit card numbers, and all social media sites.

While any credential is susceptible to data breach, using strong and unique passwords will help protect your accounts from access by credential stuffers.

Here are some tips for protecting your online passwords:

One reason we reuse basic passwords is that it is difficult to remember many sets of complex credentials. A good password manager will store your login information and auto-fill it for you when you need it, so you don't have to memorize it or write it down on paper.

Additionally, the best password managers have generators to create strong and unique passwords. Some also have security dashboards that let you know if there has been an information breach and which passwords have been reused.

Credential stuffing need not be an inevitable consequence of spending time online. By organizing your usernames and passwords, you can minimize the risk.