Anatomy of a Breach

Anatomy of a Breach: The Credential Stuffing Epidemic — When Mega-Breach Data Was Weaponised at Scale

> series: anatomy_of_a_breach —— part: 091 —— attack: credential_stuffing —— source: 542M_credentials —— victims: everyone_who_reuses_passwords<span class="cursor-blink">_</span>_

Hedgehog Security 31 July 2016 12 min read
credential-stuffing teamviewer gotomypc account-takeover password-reuse mfa series
Breach #091

542 million credentials + password reuse = every service under attack simultaneously.

In the weeks following the mega-breach data dumps, the consequences materialised with devastating speed. TeamViewer users reported that attackers had used their compromised credentials to remotely access their computers — in some cases emptying PayPal accounts or installing ransomware. Citrix forced password resets for all GoToMyPC users. GitHub, Carbonite, Twitter, and dozens of other services reported waves of credential-stuffing attacks — automated attempts to log in using the email-password combinations from LinkedIn, Myspace, and Tumblr.

The credential-stuffing epidemic of mid-2016 was the inevitable consequence of the mega-breach data dumps combined with the persistent reality that users reuse passwords across services. A password compromised on LinkedIn in 2012 — and sold on the dark web in 2016 — could unlock a user's TeamViewer, email, banking, and corporate VPN accounts if the same password had been used. The attack required no sophistication: off-the-shelf credential-stuffing tools automated the process of testing millions of credentials against target services at machine speed.

The Cascade
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

One breach becomes a thousand account takeovers.

TeamViewer: Remote Access Hijacked
TeamViewer users reported that attackers logged into their machines remotely and used the access to drain bank accounts, steal data, and install malware. When TeamViewer is compromised, the attacker has the same access as if they were sitting at the keyboard. Our <a href="/penetration-testing/infrastructure">penetration testing</a> assesses remote access security including credential strength and MFA enforcement.
GoToMyPC: Full User Base Reset
Citrix took the extraordinary step of forcing password resets for every GoToMyPC user — acknowledging that the volume of credential-stuffing attacks was too large to address individually. This is the nuclear option that organisations are forced to take when credential compromise is widespread.
Automated at Machine Speed
Credential-stuffing tools can test thousands of credentials per minute against a target service. Without rate limiting, account lockout policies, and anomalous login detection, services are overwhelmed. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for the anomalous login patterns — high-volume failed authentications, logins from unusual geolocations, and rapid sequential attempts — that indicate credential-stuffing attacks in progress.
MFA Stops Credential Stuffing Cold
Services that required MFA were immune to credential stuffing — the stolen password was insufficient without the second factor. Services that did not require MFA were vulnerable to every credential in the 542-million-record dataset. <a href="/cyber-essentials">Cyber Essentials Danzell</a> makes MFA an auto-fail criterion because the evidence is now overwhelming.
Defence

MFA. Rate limiting. Anomaly detection. The three defences that work.

Defending against credential stuffing requires three controls: MFA (making stolen credentials insufficient), rate limiting and account lockout (slowing automated attacks), and anomalous login detection (identifying attack patterns in real-time). Cyber Essentials mandates MFA. Our application testing verifies rate limiting and lockout policies. SOC in a Box provides real-time anomalous login detection. And UK Cyber Defence provides incident response when credential-stuffing attacks result in account compromise.

Credential Stuffing Defence

TeamViewer. GoToMyPC. GitHub. Carbonite. All attacked with reused passwords. Is your service protected?

<a href="/cyber-essentials">Cyber Essentials</a> mandates MFA. <a href="/penetration-testing/web-application">Application testing</a> verifies rate limiting. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects credential-stuffing patterns.

Commission a Security Assessment Next: Shadow Brokers
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 January 2019

Anatomy of a Breach: Collection #1 — 773 Million Email Addresses and the Credential Dump That Dwarfed Everything Before It

Breach #121. In January 2019, security researcher Troy Hunt reported that a massive credential dump — dubbed 'Collection #1' — containing 773 million unique email addresses and over 21 million unique passwords had been found circulating on hacking forums. The dataset was an aggregation of credentials from thousands of separate breaches spanning years. Collections #2 through #5 followed, bringing the total to over 2.2 billion credentials. The credential stuffing ammunition supply had reached a scale that made password-only authentication fundamentally untenable.

collection-1 credential-dump
13 min read
Anatomy of a Breach 30 November 2025

Anatomy of a Breach: 16 Billion Credentials Leaked — The Infostealer Aggregation That Dwarfed Collection #1

Breach #203. In mid-2025, researchers uncovered 30 exposed datasets containing more than 16 billion login credentials — including passwords for Google, Apple, Facebook, Telegram, GitHub, and government services. The datasets were not from a single breach but from a massive aggregation of credentials stolen by infostealer malware and compiled from earlier breaches. The compilation dwarfed Collection #1's 773 million credentials (2019) by a factor of twenty. While no single platform was breached, the aggregation itself was as dangerous as any individual breach — enabling industrial-scale credential stuffing and account takeover against every platform on the internet.

credential-leak 16-billion
13 min read
Anatomy of a Breach 31 October 2023

Anatomy of a Breach: 23andMe — When Credential Stuffing Exposed Genetic Data and Family Relationships

Breach #178. In October 2023, 23andMe — the consumer genetic testing company — disclosed that attackers had used credential-stuffing to access approximately 14,000 accounts directly, and then exploited 23andMe's 'DNA Relatives' feature to scrape the genetic ancestry data and family relationship information of approximately 6.9 million users connected to those accounts. The exposed data included ancestry reports, ethnicity estimates, birth years, geographic locations, family relationship connections, and genetic data. The breach raised fundamental questions about the security of genetic data — the most personal, permanent, and immutable data category that exists.

23andme genetic-data
14 min read
All Posts Get in Touch