“To prevent credential stuffing attacks, cloud-based platforms must implement more advanced device verification systems, so that attackers cannot brute force test passwords. Combine this with a botnet originating from multiple different sources and you have an attack that can defeat most login protections, such as geoblocking and/or rate limiting,” he continued.ĭespite PayPal itself not being hacked, some experts have expressed the need for platforms to implement better password practices on their user’s behalf. “Credential stuffing differs from brute force attacks in that they use valid credentials from other platforms. Research suggests that 0.1% of leaked credentials will be valid on another platform – Whilst this sounds like a small amount, leaked credentials number into the billions (services like haveibeenpwned list counts by breach),” said Mike Varley, threat consultant at Adarma. “In the online age, where every website wants a user to have an account, it is easy to understand why people will re-use the same username & password combination. Credential stuffing attacks such as this are a key driver of the security industry’s insistence on good password hygiene, using unique, complex pass-phrases that are unlikely to be guessed.