This is the second part of our series—last time we talked about guessing, harvesting, and cracking. Today, we’ll unpack two more sneaky tricks: password spraying and credential stuffing, besides and a recent real case of password stealing.

1. Password Spraying

What is it?

Instead of targeting one account with many password attempts, attackers use one common password across many accounts.

• Relies on weak yet popular passwords (like Password123 or qwerty!).
• Spreads attempts widely across multiple accounts to avoid detection.

How it works:

Hackers gather lists of usernames or emails and try a single cheap password across all of them. If just one person used that password, the hacker can get in.

How to defend:

• Use unique, complex passwords. Avoid anything from the “most common” lists.
• Enable Multi-Factor Authentication (MFA). A stolen password alone won’t be enough.

2. Credential Stuffing

What is it?

Hackers use real leaked username/password pairs from one breach to break into accounts on other sites.

• Relies heavily on password reuse across platforms.
• Fully automated—bots test thousands of logins very fast.

How it works

When a breach happens—say, a forum or shopping site is hacked—the attacker grabs those credentials and tries them across different services (email, streaming, banking, etc.). If you reused your password, you’re at risk.

How to defend:

• Use a password manager for unique passwords everywhere.
• Change compromised passwords immediately when you hear about a breach.

Real-World case:

Credential Stuffing at The North Face

On April 23, 2025, The North Face detected a credential stuffing attack , the fourth one since 2020, targeting its e-commerce site. Attackers used login credentials stolen from previous breaches to access customer accounts

They exposed customer details, approximately 2800 clients, such as full names, email addresses, shipping addresses, purchase history, phone numbers, and dates of birth—but no payment card information was compromised, since payments were handled by a third-party service (Bill Toulas 2025)

Spraying and stuffing may sound technical—but at their core, they exploit everyday habits: weak passwords and reusing them.

Thankfully, simple habits like using strong, unique passwords, turning on MFA, and changing passwords promptly after a breach offer powerful protection.

If you’re finding this useful, share it with friends and family—it might save their online accounts!

References

• Bill Toulas 2025, https://www.bleepingcomputer.com/news/security/the-north-face-warns-customers-of-april-credential-stuffing-attack/