What Google Discovered About Credential Stuffing Attacks

By Clare O’Gara

Credential stuffing risk by industry verticals

According to Google, credential stuffing is an issue that varies widely across the internet.

And almost all of the risk boils down to the passwords that users choose:

"We found that users reused breached, unsafe credentials for some of their most sensitive financial, government, and email accounts.

This risk was even more prevalent on shopping sites (where users may save credit card details), news, and entertainment sites."

Google also provided a graphic explaining how the credential stuffing risk depends on the account and industry vertical:

And many users aren't doing much to avoid danger. In fact, some are making it even easier for credential stuffers:

"Outside the most popular web sites, users are 2.5X more likely to reuse vulnerable passwords, putting their account at risk of hijacking."

But Google reminds us that these risks aren't set in stone. Bad actors routinely use compromised usernames and passwords, but there's an easy way to avoid it:

"If you use strong, unique passwords for all your accounts, this risk disappears."

Google on passwords: how Chrome extension improves security

In the details of the Password Checkup extension, Google explains how the program works:

"Wherever you sign-in, if you enter a username and password that is no longer safe due to appearing in a data breach known to Google, you’ll receive an alert. Please reset your password.

If you use the same username and password for any other accounts, please reset your password there as well."

Since the initial launch, it's seen 26% percent of users change their passwords.

But what's even more interesting is how the new passwords look.

"Even better, 60% of new passwords are secure against guessing attacks—meaning it would take an attacker over a hundred million guesses before identifying the new password."

Google even included a graph of how new passwords get less guessable: