What is credential stuffing: inside the attacks on Australia’s retailers

In early 2024, online stores have had to tell their customers that hackers and fraudsters had racked up huge purchases using their accounts and credit cards. It’s an attack called “credential stuffing”. Here’s how it works and how you can help protect yourself.
Luke Hopewell · 24 January 2024 · 5 minute read

What is credential stuffing? How does it work?

When hackers get their hands on a massive set of usernames and passwords, usually purchased from the dark web, they attempt to use these credentials across various online services. 

It's akin to trying that same key on every door in the neighbourhood, hoping to find one that fits.

Hackers score this data by scooping up big troves of usernames and passwords from various breaches over the years. A batch of usernames and passwords numbering in the thousands can commonly be purchased on the dark web for just a few dollars. And your details are probably in one of those batches right now without you knowing it. 

The method is deceptively simple yet highly effective, relying on the fact that many people reuse the same passwords across multiple platforms – so a breach of your password on one platform can potentially expose you to a breach on many others.


The real-world dangers of password reuse

Using the same password everywhere might feel easy, but it’s far less secure. We’ve seen all too clearly the kind of damage reusing the same password over and over again can do in the real world.  

Picture this using the key analogy again: if you use the same key for your house, car, and office, a thief who manages to steal that key gains access to your entire life. Similarly, if a hacker discovers your password for one account, they can potentially unlock all the doors to your digital world.

The danger lies in the fact that once a hacker successfully logs into one account using credential stuffing, they can access other accounts where you've reused the same password. It's a domino effect that puts your personal information, sensitive data, and even financial assets at risk.

Especially if your credit card details are stored in that account. This is where the real trouble starts.

Because hackers have your digital keys, they can log onto your accounts and order themselves goods and services using your money, and ship it to themselves. We’re talking designer clothes, high-end alcohol, gift cards and other experiences. 

Safeguarding your online presence requires a proactive approach. Credential stuffing is alive and well in Australia, and we’ve seen just how inconvenient it can be to have your money used on someone else’s fraudulent purchases. 

Follow the simple steps above to stay safe and you’ll be better protected from these sorts of drive-by scams.

So how can you stay safe? Start with these simple tips.


First things first: don’t use the same key for every door in your life. Keep yourself safe by securing your accounts with different passwords.  



Imagine having a trustworthy butler who not only remembers all your unique keys but also generates complex ones for you. 

Password managers do just that – they generate strong, unique passwords for each account and securely store them

It's like having a guardian for your digital keys, ensuring they are strong and diverse. And it means you only have to remember one really strong password or passphrase instead of hundreds. 



A passphrase is a longer and more complex sequence of words, numbers, and symbols used to authenticate a user. It functions similarly to a password but offers an extra layer of protection due to its length and complexity. 

Instead of using a common password, instead tell a brief story to create a passphrase such as: ‘CookSteakToTempOf48C’.  

It will take a brute force password cracker less than a second to decode a password like ‘password’, but ‘CookSteakToTempOf48C’ would take a computer literally centuries to figure out.Passphrases allow users to create strong and memorable authentication credentials, striking a balance between security and usability. This adaptability is crucial in promoting good security practices among users who may otherwise resort to using weak and easily guessable passwords.



Imagine leaving your credit card details lying around in every store you visit. Saving credit card information on online platforms is akin to this risky behaviour. 

Opt to enter your payment details manually when making purchases, reducing the chances of unauthorised access to your financial information.

By Luke Hopewell

Editor, tech expert and Senior Specialist Writer at Telstra Exchange

Luke Hopewell is an editor, tech expert and Senior Specialist Writer at Telstra Exchange. Luke joined Telstra in 2019 where he has had the privilege to help bring stories to life in a unique and human way. He was previously the head of editorial at Twitter Australia and the editor of cult tech site Gizmodo. For over a decade, Luke’s passion for technology has always driven him to seek out the latest gadgets and game-changers, and help others to understand how it all works. In another life he was a cyber security specialist where he sought to educate people about how to stay safe online. When he's not writing, he's getting outdoors and patting all the nice dogs he meets.