08.07.2022 - Credential stuffing: report and guidelines

Credential stuffing: report and guidelines

08.07.2022 - In its latest report, the Global Privacy Assembly identifies credential stuffing as a growing threat to personal data. The related guidelines provide users with information on security measures that can be taken to protect against this threat.

Credential stuffing is a form of cyberattack that exploits people’s tendency to use the same user name and password combinations for multiple online accounts. These attacks are automated and often perpetrated on a large scale. The stolen login data are used to gain access to accounts on various internet platforms.

The report, published by the International Enforcement Working Group (IEWG) as part of the Global Privacy Assembly (GPA), includes contributions from the Federal Data Protection and Information Commissioner as well as data protection authorities from the UK, Canada, Gibraltar, Jersey and Turkey. It emphasises the growing trend of credential stuffing attacks and provides information on how organisations and individuals can prevent, recognise and minimise their risk.

The Global Privacy Assembly considered the multi-factor authentication for online accounts as the most effective protection against credential stuffing.

Bringing together more than 130 data protection authorities from around the world, the Global Privacy Assembly is one of the leading organisations globally for data protection and privacy authorities.

The report and guidelines can be found at the following links:

International Enforcement Cooperation Working Group: Credential Stuffing Awareness Raising for individuals
International Enforcement Cooperation Working Group: Credential Stuffing Guidelines for commercial organisations 

Last modification 16.05.2023

Top of page