Home Other Gamers are targeted by Credential Stuffing attacks – here’s what you can...

Gamers are targeted by Credential Stuffing attacks – here’s what you can do


Over the last decades, gaming has improved so much. Who can compare Fallout 1 with Dragon Age or Witcher 3 and deny we’ve come a long way? Moreover, from single-player games that you pay once for a compact disk (yes, yes, I remember those) evolved massive multiplayer games with subscription-based monetization and micro-transactions.

What does this mean for a video game? That its value increased. You’re holding the glorious Diablo 1 CD that you paid ~$30, but your World of Warcraft account is filled with skins, mounts, and its worth is way bigger. Your Xbox account value is even higher, which makes these accounts a juicy target for cybercriminals. 

We’ve written previously on how data-leaks may affect gamers, or you can check our other article about mobile gaming security. However, in this piece, we will concentrate on a specific cyberattack that is dangerous to gamers and give some tips on data protection, which sometimes doesn’t even cost a dime!

What’s the current situation?

The truth is that the state of cybersecurity is grim, and it affects gamers also. According to a report by Akamai

“Akamai also saw 10.6 billion web application attacks across its customers between July 2018 and June 2020, more than 152 million of which were directed toward the gaming industry.”

And this number is increasing. Video games simply weren’t as valuable some time ago as they are today. Some people spend hundreds of dollars on their favourite video game, and if a hacker manages to gain access to that account and take it over (usually by changing the email and password of the service), you lose both: the time you invested in a game; and all the merchandise you bought for money. 

And this is no hypothetical situation. Credential Stuffing attack that’s been around for well over a decade, but gained traction due to numerous data-leaks, is frequently used against gamers. It’s a cheap cyberattack that involves little know-how but can be financially profitable, and a lot of cybercriminals are looking this way for easy-money.

So let’s see what it’s all about.

What is a credential stuffing attack?

This one is very simple. First of all, data-leaks are haunting the digital world, and it doesn’t look like stopping. There were Yahoo leaks, Marriott hotel leaks, armour games leaks, and many, many more. 

A cybercriminal obtains a leaked database of email and password combinations for a particular service. Since password management is not something everybody knows about, there are passwords like “password”, “qwerty”, “hello123”, and alike. Even worse, some people reuse these passwords on different services using the same email.

Next, cybercriminal buys automatization software, which can be obtained for as cheaply as $20. He or she imports the leaked data-set to the software, and then the program tries it on different services. You can target Netflix, Disney+ suffered a massive credential stuffing attack, and, of course, gaming accounts. That’s why gaming giants like Valve, Blizzard, Epic Games, Ubisoft, and others recommend turning Multi-Factor-Authentication on their services.

That’s one way to secure your services, but let’s see what else you can do.

Use a password manager

If you’ve noticed, for credential stuffing attacks to succeed, someone needs to use the same email and password combination more than once. It’s easy to remember one, two, five different passwords, but right now, we’re using so many online services and applications that it’s not possible to remember a password for every one of them. 

Moreover, having simple passwords is not enough anymore. You’d need to have long, unique, and complex ones. That’s precisely where password managers jump in.

Some of you might’ve used the LastPass free version, which, sadly, recently announced they’re terminating multiple device support for its free service. However, there are password managers with free plans like NordPass, and you can use them to secure your accounts. It works like this.

A password manager allows you to store as many passwords as you’d like in an encrypted password vault. Only you have access to that vault, and only you can retrieve passwords from there. Encryption means that in case of a data-leak, the cybercriminal will have to decrypt your passwords, and with advanced encryption algorithms, it is practically impossible.

This is precisely what prevents the Credential stuffing attack from happening because you will never use the same password anywhere twice. 

And since gaming accounts become more and more valuable, the best time to start securing them is now, and not after something bad has happened.