SonicWall
May 9, 2025
•[ hack, brute-force, technology ]
Threat actors brute-forced the MySonicWall portal and accessed cloud backup firewall preference files for a subset of customers (<5%). SonicWall terminated access, issued Essential Credential Reset guidance, and involved law enforcement. Risk centers on reuse of secrets/config intelligence for follow-on compromises.
Synthient Credential Stuffing Threat Data
April 11, 2025
•[ hack, brute-force, technology ]
During 2025, the threat-intelligence firm Synthient aggregated 2 billion unique email addresses disclosed in credential-stuffing lists found across multiple malicious internet sources. Comprised of email addresses and passwords from previous data breaches, these lists are used by attackers to compromise other, unrelated accounts of victims who have reused their passwords. The data also included 1.3 billion unique passwords, which are now searchable in Pwned Passwords.
General Motors
July 9, 2024
•[ hack, brute-force, manufacturing ]
General Motors (GM) suffers what appears to be a credential stuffing attack, affecting 65 GM MyAccounts.
Amtrak
June 14, 2024
•[ hack, brute-force ]
Amtrak reveals that the Guest Rewards Accounts were hacked in credential stuffing attacks
Roku
March 15, 2024
•[ hack, brute-force, technology ]
Roku warns that 576,000 accounts were hacked in new credential stuffing attacks after disclosing another incident that compromised 15,000 accounts in early March.
Roku
March 8, 2024
•[ hack, brute-force, technology ]
Roku says it canceled unauthorized subscriptions and refunded more than 15,000 accounts after discovering what they called suspicious activity.
PetSmart
March 6, 2024
•[ hack, brute-force, retail ]
Pet retail giant PetSmart warns some customers their passwords were reset due to an ongoing credential stuffing attack attempting to breach accounts.
Jason's Deli
January 19, 2024
•[ hack, brute-force, retail ]
Jason's Deli warns of a data breach in notifications sent to customers of its online platform stating that their personal data was exposed in credential stuffing attacks.
23andMe
October 2, 2023
•[ leak, brute-force, healthcare ]
23andMe confirms to be aware of user data from its platform circulating on hacker forums and attributes the leak to a credential-stuffing attack.
RocketSwap
August 15, 2023
•[ hack, brute-force, finance ]
Decentralized exchange RocketSwap loses $870,000 in a hack due to multiple vulnerabilities, including storing user private keys on its cloud servers via a brute-force attack.
PayPal
December 21, 2022
•[ leak, brute-force, finance ]
PayPal sends out data breach notifications to approximately 35,000 users who had their accounts accessed through credential stuffing attacks that exposed some personal data.
DraftKings
November 21, 2022
•[ hack, brute-force, technology ]
Sports betting company DraftKings reveals that it would make whole customers affected by a credential stuffing attack that led to losses of up to $300,000.
Seesaw
September 14, 2022
•[ hack, brute-force, education ]
Seesaw, a popular messaging application used by school districts across the U.S. is forced to apologize after parents said an inappropriate photo was sent out as a consequence of a credential stuffing attack.
The North Face
July 26, 2022
•[ hack, brute-force, retail ]
Outdoor apparel brand 'The North Face' is targeted in a large-scale credential stuffing attack resulting in the hacking of 194,905 accounts on the thenorthface.com website.
Zola
May 21, 2022
•[ financial, brute-force, retail ]
Wedding registry website Zola confirms that it was hit with a cyberattack after dozens of customers complained on social media about their accounts being drained or breached.
Npower
February 26, 2021
•[ hack, brute-force, energy ]
British energy provider Npower suffers a credential stuffing attack, forcing the company to shut down its mobile app.
