Protect Your Information from Credential Stuffing Attacks

What is “credential stuffing”?  Over the last several decades we have seen many high profile data breaches, many of which have involved the theft of login account usernames and passwords.  Once stolen, these credentials are readily available for sale on the dark web.  Bad actors buy these stolen credentials and create lists of millions of username and password combinations. Knowing that users reuse the same passwords over many years and across online accounts, bad actors simply automate application of these credential lists to online accounts knowing that some percentage of credentials will successfully “match” current account login credentials. Once they get a match they can log into the account, run searches across the content for financial or other valuable information, change user contact information (e.g., email addresses, phone numbers), and even change access rights. 


The use of stolen login credentials is one of the most common ways for bad actors to compromise users’ online accounts; in fact, an estimated 49% of external hackers have relied on the use of stolen credentials to conduct high-volume credential stuffing attacks. 


What can I do to protect myself?


The good news is that you can protect yourself from such attacks if you follow some basic best practices: 

  • Do not use the same password across all of your online accounts
  • Do not reuse or recycle your passwords, particularly if you have been the victim of a prior data breach 
  • Change your passwords on a regular basis and follow best practices on creating strong passwords
  • Implement multi-factor authentication (MFA), which is offered by most online account providers
  • Keep your passwords safe and do not share them; even better, use a password management tool


If you believe your Postman account may have been compromised:

  • Contact Postman immediately if you see suspicious activity in your account
  • Check your account for any modifications to your user information (e.g., changed email address or other contact information, access rights, etc.)
  • Review the contents of your account to assess potential risks to you or your organization.

Have more questions? Submit a request