Enumeration Attack
An automated attack that systematically tests large numbers of possible values — such as card numbers, usernames, or account IDs — to discover valid ones.
Also known as: brute-force enumeration, account enumeration, gift card enumeration
Last reviewed: 1 June 2026
An enumeration attack is a category of brute-force or systematic testing attack in which an adversary iterates through possible values in a predictable space to identify which ones are valid. In payment fraud, the most common form is BIN enumeration (testing card numbers). In account security, enumeration can exploit login or registration pages that give different responses depending on whether an account exists — allowing an attacker to compile a list of valid usernames or email addresses for subsequent credential-stuffing or phishing attacks.
In the context of gift cards or voucher codes, enumeration can be used to identify valid unspent codes by systematically testing code formats against a redemption endpoint. This is sometimes called 'gift card cracking.'
The common thread is that the attacker leverages an overly revealing response or a predictable value space to efficiently narrow down the set of valid targets. Defences include consistent error messages (that do not reveal whether a value exists), aggressive rate-limiting, CAPTCHA, and anomaly detection that flags high volumes of similar requests from a single source.
Examples
- An attacker tests a retail gift-card redemption portal with tens of thousands of code combinations per hour, identifying valid unspent balances that are then transferred to cards the attacker controls.