Proudly supported by

Australian Government logo


Resources Hub / Small business cyber basics / ‘Credential stuffing’: How you can protect yourself and business

‘Credential stuffing’: How you can protect yourself and business


Thousands of people across Australia have woken up to the news that they might be victims of ongoing online scams.

Cyber security company, Kasada, has been investigating cyber attacks and found a number of well-known retailers might have been compromised, according to the Sydney Morning Herald

In their analysis, Kasada alleges some customers of Guzman y Gomez, Dan Murphy’s, Binge, TVSN and Event Cinemas have had their online accounts compromised. 

This comes just a week after the news that online retailer, The Iconic had been breached, causing some customers to lose thousands of dollars and have their user details breached. 

In these attacks, cyber criminals are using a scam called “credential stuffing” to gain access to an individual’s online account and make fraudulent transactions.

As a small business, if you trade online using an eCommerce store or you purchase online — here’s what you need to know.

What is credential stuffing?

Credential stuffing is a type of cyber attack that targets people who have previously had their usernames, emails or passwords stolen in a data breach. They are then more vulnerable to a second, more dangerous attack where cyber criminals reuse the email and password combinations to get access to more of your accounts, and more of your personal data.

It might help to think of credential stuffing like a cyber criminal game of bingo. Hackers will take your previously stolen passwords and try to crack your other accounts using the same details. This is why people who reuse the same passwords when shopping online are more at-risk of an attack.

What are credential stuffing shopping scams?

When cyber criminals successfully use credential stuffing to guess your password on a online shopping account then they have the ability to place orders, and charge them back to your previously used credit card!

How do I know if my details have been hacked?

Kasada, who has been analysing the attacks, says that 15,000 Australian accounts have been hacked in the past three months, as at January 2023, with that number growing daily. 

People who use the same passwords across many accounts are most vulnerable to a credential stuffing cyber attack, especially if they have previously had their usernames stolen in an unrelated data breach. 

If you are unsure if you have previously had your data leaked online you can check by visiting the website ‘Have I been pwndwhich checks your email against known data leaks. If the email you usually shop with is in on this list it means  you can be targetted with a credential stuffing attack. 

Because credential stuffing cyber attacks impersonate legitimate shoppers using real passwords and real usernames, it makes it very difficult for online businesses to identify the scam. 

While many companies are still learning or investigating the attacks, we encourage you to review your bank statements and look out for any suspicious transactions. 

If you think you have been hacked, you can make a report to the ACSC.

How do I protect myself from credential stuffing?

As a customer, one of the best ways to defend against credential stuffing is to follow some basic cyber safety principles. 

1. Have unique passwords for all your accounts

This means that even if one of your accounts gets breached, cyber criminals won’t be able to use this password to break in anywhere else. 

2. Use strong and long passwords

Of course, the stronger the password, the better. We know the struggle of trying to remember a bunch of complex passwords so we encourage you to start using passphrases. Passphrases contain at least four unpredictable words like: ProtectBirthdayPlantMovie The ACSC says that passphrases are easier to remember than passwords and can be even harder for cyber criminals to crack. 

3. Add a virtual alarm with multi-factor authentication

With multi-factor authentication, like a unique one-time code, even if cyber criminals get access to your password, the second code prevents them getting into your account.

4. Talk with your team about the risk of credential stuffing 

Talking with your team about cyber security will help them protect your business. Encourage your team to check their own passwords, follow the simple steps above and be alert to cyber attacks.

The founder of Kasada, Sam Crowther, says that Australian businesses are increasingly being targeted by scammers.

“This is a concerted, targeted effort to hit Australian business who haven’t had to deal with this before,” Crowther told the Sydney Morning Herald.

Crowther also said that many businesses might not be aware they have been targeted or the extent of its impacts. For small businesses, this can be even harder when they don’t have dedicated IT or cyber security teams.

If your business has online accounts customers can login to or store credit card details, you can proactively get ahead of the scammers, and help protect your customers and your business reputation.

1. Be alert to unusual change of address requests 

If a regular customer suddenly changes their address details, it might be a sign their password and account have been compromised. Consider checking past orders for contact details and reaching out before you dispatch orders. 

2. Protect your shopping accounts with multi-factor authentication 

If your shopping system offers multi-factor authentication for your customers, set this as a compulsory setting to add a layer of security. 

3. Help customers upgrade their passwords 

Show your customers you are a cyber-safe company by encouraging them to reset all their online shopping passwords to unique and long passphrases. 

4. In an emergency, hard reset customer passwords

If you notice hackers targeting your customers through your website, you can help protect them by cancelling old passwords and requesting they reset their passwords to new, original and strong passphrases. 

5. Sense check an influx of repeat orders

Did your website traffic just spike unexpectedly and are you unsure of the source of traffic? Cyber criminals can use supercomputers and bots to test lots of account usernames and passwords at a time when they are using credential stuffing attacks. If your repeat orders rapidly increase and you didn’t just launch a 50% off sale, be alert to the potential for credential stuffing scam orders!

With Cyber Wardens, you can keep your digital floors clean and free of cyber criminals fishing.

Learn easy and simple cyber security tips for your small business

More helpful resources for you and your business

It happened to me!

Have you got a Cyber attack story to share? Your story can help other small businesses protect themselves.

It happened to me!

Have you got a Cyber attack story to share? Your story can help other small businesses protect themselves.