Language selection



Global data protection authorities release guidance:

Help for businesses and individuals to protect against cyber-attacks that exploit password re-use

June 30, 2022

The Office of the Privacy Commissioner of Canada and several international data protection and privacy regulators have joined forces in releasing guidance on “credential stuffing attacks”, to combat a significant and growing global cyber threat to personal information.

A credential stuffing attack exploits the common tendency to re-use the same usernames, email addresses and passwords across multiple accounts. This practice allows cyber attackers to exploit a data breach at one website to gain access to user accounts on multiple other online sites. Research by cybersecurity and cloud services company Akamai indicates that hundreds of millions of these types of attacks occur daily.

Data protection authorities from Canada, Gibraltar, Jersey, Switzerland, Türkiye and the United Kingdom worked together under the umbrella of the Global Privacy Assembly’s International Enforcement Cooperation Working Group to develop the guidance to help individuals and commercial organizations identify this malicious behavior, prevent and protect against it.

The guidance for individuals includes steps individuals can take including:

  • Ensuring that account holders avoid using predictable passwords and that they employ multi-factor authentication where possible.
  • Encouraging individuals to change their passwords immediately, along with those for any other accounts protected by the same or a similar password, should an online account be compromised.
  • Urging individuals to immediately contact relevant financial institutions should they find any financial information linked to an account that has been compromised or is suspected of being compromised.

The guidance for commercial organizations supports them in identifying the threat of credential stuffing for the personal data in their possession and outlines measures they can take to mitigate the risk to personal data.

While this guidance does not represent a statement of legal obligations across all jurisdictions, it may assist organizations in complying with data protection and privacy laws that require organizations to protect personal information against threats posed by credential stuffing attacks.

For example, the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law, sets outs a number of obligations for organizations subject to PIPEDA designed to ensure they protect personal information under their control with appropriate security measures that take into account the sensitivity of the information.

Related documents

International Enforcement Cooperation Working Group: Credential Stuffing Awareness Raising

International Enforcement Cooperation Working Group: Credential Stuffing Guidelines

Date modified: