Skip to main content

As the impacts of the pandemic continue to ripple outwards, hackers are tapping into credential stuffing as an easy way to victimize both companies and individuals. The branching of events is easy to track with the rapid transition to remote work, e-commerce boom, and the millions of new online accounts for everything from grocery delivery to streaming services.

The rapidity of the transition meant that not every system was built with secure foundations; in fact, the opposite was true. The additional reliance on web-based commerce meant that hackers had myriad opportunities to attack sites and harvest user’s credentials. From there, the unfortunate yet common pattern unfolded. Hackers sell lists of credentials on the dark web and then other bad actors can undertake credential stuffing attacks on additional platforms.

To be explicit: the sheer number of attacks collated in 2020 numbers was close to two hundred billion. That’s just the documented attacks, not the ones that flew under the radar. Credential stuffing is an urgent problem for retailers, and the industry needs to be part of the process of building defensive solutions.

Keeping the Core Strong with Strong Passwords

It might seem like singing the same song over and over, but it can’t be emphasized enough. Building password policies that are strong and up to date is crucial in the digital commerce landscape. Since people use tens and sometimes hundreds of digital accounts, consumers tend to make passwords simple and easy-to-remember. Especially when interacting with a site they think they might not use frequently.

While implementing multi-factor authentication (MFA) sometimes seems like a convenient solution to combat weak passwords, it’s not a failsafe from a security perspective. From the retail perspective, consumers often find MFA burdensome, so it’s not a positive sales tactic.

Password Reuse

Unfortunately, the issue with passwords doesn’t stop at the creation of weak ones. It’s incredibly common for consumers to reuse their passwords across many platforms and websites, or just make slight variations. For example, someone might feel ‘Soccer1’ is a good enough password, and then use ‘Soccer123!’ or ‘$occer2020’ on other websites.

If any of the user’s passwords have been exposed in a prior breach, it’s a near guarantee that they are available for purchase via the Dark Web. The small variations are easy for a computer to guess and are a gateway to credential stuffing attacks.

Credential stuffing is almost always carried out by a bot that smashes pairs of credentials into websites until it finds one that sticks. This technique is part of a category known as “brute force attacks” because the process doesn’t require much technical skill. Virtually anyone with a little purchasing power can obtain user’s data, launch a credential stuffing attack, compromise individual accounts, and make fraudulent purchases—a process that could happen overnight. The purchases themselves might be minor—someone could order pizza if they steal your Dominoes login—or they could be major, like taking out credit cards or buying cryptocurrency from your accounts.

Credential stuffing attacks are happening throughout the retail industry and not just to specific subsets. Now is the time for e-commerce providers to come together to solve the issue in a way that doesn’t drag the customer experience down.  


Balancing security considerations with the demand for a seamless digital experience has always been tough, but right now, it’s a top priority.

Fortunately, there is a solution that occurs in the backend so it doesn’t interrupt the consumer experience. Credential screening protects both the user and the company. This means that as consumers type their passwords and email addresses into the website, there is software continuously checking for password integrity—checking it against a blacklist of passwords that have already been flagged as weak or compromised.

With Enzoic, this process is nearly instantaneous. In addition, consumers only become aware if a compromise is detected and they are prompted to change their password.

While the retail industry is still reeling from breaches and attacks, is not too late to invest time and resources into cybersecurity. Preventative and defensive actions both have their place. It’s best to take whatever steps you can, as soon as possible, whether that means stronger password policies, MFA, credential screening—or, best case scenario, a layered approach using multiple strategies.

Let’s solve the riddle of retail security together.