Skip to main content
A credential stuffing attack is a cyberattack in which attackers use large volumes of stolen username-password pairs on websites.  Because many people reuse passwords across multiple accounts, these attackers often succeed in gaining unauthorized access to user accounts on different platforms. A successful credential stuffing attack can result in:
  • Account takeovers: attackers can hijack your accounts, from email and social media to banking and cloud storage.
  • Data theft: attackers can steal sensitive personal or business information.
  • Financial loss: unauthorized transactions or ransom demands can result in direct financial harm.
  • Reputational damage: compromised accounts can be used to spread misinformation or spam your contacts.

Protecting your accounts

To optimally protect your accounts from credential stuffing attack, you should take immediate practical steps to protect sensitive data.

Use strong, unique passwords

Avoid reusing passwords across sites.  Each account should have its own unique complex password that includes a mix of uppercase and lowercase letters, numbers, and special characters.  Consider using a reputable password manager to generate and store these securely.

Enable Multifactor Authentication (MFA)

MFA provides an extra layer of security by requiring additional verification beyond just a password, such as a code sent via SMS or generated by an authenticator app.  Even if attackers obtain your password, MFA significantly reduces their chances of accessing your account.  Box supports MFA for both Managed Users and External Collaborators.  Learn more about using MFA for Box in our Configuring Multi-Factor Authentication article.

Regularly monitor your accounts

Watch for suspicious activities, such as unexpected login alerts or unfamiliar transactions. Promptly report any anomalies to service providers.

Stay informed about breaches

Use third-party services like Have I Been Pwned? to check whether your email addresses have appeared in data breaches, so you can take immediate action if needed.

Update passwords periodically

Changing passwords regularly helps limit damage if credentials are compromised without your knowledge.

Responding to suspicious login activity

If you suspect unauthorized access to your Box account or any account within your organization, immediate investigation is critical to maintaining your security posture.  We recommend using  Box’s User Activity Report to review user behavior, login attempts, and content interactions that can help you identify anomalous activity.  If unauthorized access is confirmed, promptly notify all stakeholders who may be affected.

Our commitment at Box

At Box, protecting your data is our highest priority.  We continuously invest in advanced detection systems designed specifically to identify and block credential stuffing attempts before they reach you.  Additionally, we strongly encourage you to enable Multifactor Authentication on your accounts — it’s one of the most effective ways you can help safeguard yourself against these threats. If you’d like more information about how Box is working to keep your content secure, please see box.com/security or contact Box Product Support.
Last modified on May 22, 2026