You may have noticed this happening more and more lately: Online accounts get taken over in droves, but the companies insist that their systems haven't been compromised. It's maddening, but in many cases, technically they're right. The real culprit is a hacker technique known as "credential stuffing."

The strategy is pretty straightforward. Attackers take a massive trove of usernames and passwords (often from a corporate megabreach) and try to "stuff" those credentials into the login page of other digital services. Because people often reuse the same username and password across multiple sites, attackers can often use one piece of credential info to unlock multiple accounts. In the last few weeks alone, Nest, Dunkin' Donuts, OkCupid, and the video platform DailyMotion have all seen their users fall victim to credential stuffing.

"With all of the massive credential dumps that have happened over the past few years, credential stuffing has become a serious threat to online services," says Crane Hassold, a threat intelligence manager at the digital fraud defense firm Agari. "Most people don't change their passwords regularly, so even older credential dumps can be used with relative success. And since password reuse is rampant, cybercriminals will generally test a set of credentials against numerous different websites."

Credential Craze

Credential stuffing has been a problem for years now, as troves of credentials from seminal breaches like LinkedIn and Dropbox in 2012 and Myspace in 2013 have been used—to great effect!—in countless credential stuffing campaigns. But one trend in particular has fueled a recent rise in successful campaigns.

Recently hackers have posted more gigantic, aggregated credential collections that comprise multiple data breaches. One of the most wild recent examples is known as Collection #1-5, a "breach of breaches" that totaled 2.2 billion unique username and password combinations, all available to download in plaintext—for free.

LEARN MORE The WIRED Guide to Data Breaches

“With Collections 1 through 5 we have actually seen spikes in credential stuffing recently, immediately after that news came out,” says Shuman Ghosemajumder, chief technical officer at the corporate digital fraud defense firm Shape Security. “In fact, we saw some of the largest credential stuffing attacks across several customers in just that week. And that makes sense because you’ve got all these plaintext usernames and passwords available through a torrent. It democratizes credential stuffing.”

The Collection credentials are mostly a few years old, meaning many were already in broad circulation and not worth much. But over the last week, another outlandish trove has provided exactly the type of fresh, high-quality credentials hackers cherish. Posted on the Dream Market dark web marketplace, the collection includes a total of roughly 841 million records, released in three batches, from 32 web services, including MyFitnessPal, MyHeritage, Whitepages, and the file-sharing platform Ge.tt. The first part of the dump costs about $20,000 in bitcoin, the second about $14,500, and the third roughly $9,350. A few of the breaches don’t include passwords, and some that do are protected by cryptographic scrambling that buyers will need to decode, but overall these are top-shelf troves ripe for use in credential stuffing.

Hot Stuff

As you've probably guessed, credential stuffing relies on automation; hackers aren't literally typing in hundreds of millions of credential pairs across hundreds of sites by hand. Credential stuffing attacks also can't try massive numbers of logins on a site with all the tries coming from the same IP address, because web services have basic rate-limiting protections in place to block floods of activity that could be destabilizing.

So hackers use credential stuffing tools, available on malicious platforms, to incorporate "proxy lists" to bounce the requests around the web and make them look like they're coming from all different IP addresses. They can also manipulate properties of the login requests to make it look like they come from a diverse array of browsers, because most websites will flag large amounts of traffic all coming from the same type of browser as suspicious. Credential stuffing tools will even offer integrations with platforms built to defeat Captchas.