Customer Login
Credential Stuffing – What is it?

Credential Stuffing – What is it?

By Bob Michaud


Welcome to the 2019 Cyber Security Awareness Month. This is my third year participating as Q2’s Chief Security Officer, and I’m ready to share my insights each week over the next month.

Q2 is an NCSA Cyber Security Champion. Our multi-layered security approach keeps your customer experience safe while protecting against brand fraud. This week I will discuss how Q2 protects your brand with our multi-layered security approach by discussing a new type of attack called Credential Stuffing and how you can protect yourself.

The average person has over 200 online accounts. Additionally, the average person has only 8-10 unique passwords. Because so many of us duplicate our user code and passwords, a new type of attack has been launched and is increasing in intensity.

The average person has over 200 online accounts, but only 8-10 unique passwords.

The fraudsters have figured this out. From an illegal source, they buy your user code and password for your Facebook or Google account, and they launch an attack against your bank account. The new type of attack is a slow yet more methodical login approach that sometimes goes undetected against more traditional security detection measures. Your first indication of the attack is an increase in the number of lockouts of your customer’s accounts because of invalid login attempts.

Our datacenter at Q2 has high-security detection available at all times. We protect against this type of attack and then inform our banks and credit unions that an attack is occurring. Q2 has a number of validations that occur to ensure our security center is always on alert.

Below is an example of the response we provide to our clients to ensure them we’re protecting their customers:

Dear Colleague,

We are emailing to inform you that your institution is currently being defended against a “credential stuffing” attack. Q2 has already begun to mitigate this attack and is reaching out to inform you for your team’s situational awareness. No response to us is required.

Due to the number of invalid login attempts being observed to your Online Banking environment, it is being defended by an elevated set of protections. This can affect valid user experience, but the rules are carefully crafted to minimize these impacts.

Q2 IOC will continue to monitor the platform and will use escalated methods of contact if we feel your active attention is required.

There are many other monitoring tools and security alarms established within our environment to let us know we’re operating in a safe environment. Today, I’ve touched only on the monitoring of our security environment for a new type of credential stuffing attack.


In the second of this five-blog series, I offer insights on how Q2 protects your brand with our multi-layered security approach by developing your applications with a security-first approach.

Thank you for your interest, and Happy Cyber Security Awareness Month.

Ready to get in touch?

Ask us how Q2 can deliver the digital banking experience your account holders deserve.

Speak to an Expert