Credential-Stuffing Attack on DHL MyAccount
Criminals use billions of username-password pairs leaked from other breaches to try to break into DHL MyAccount portals at scale. Once inside, they change delivery addresses, intercept high-value parcels, and harvest stored payment cards.
Part of: Credential Stuffing Account Fraud
Last reviewed: 8 June 2026
Credential stuffing is an automated attack in which criminals take login pairs leaked from previous data breaches and try them against a different service. Because many people reuse the same email address and password across multiple websites, a fraction of the tested credentials succeed — and DHL MyAccount is a high-value target because it stores delivery preferences, address books, and in some regions saved payment cards.
A compromised DHL account lets an attacker redirect in-transit shipments to their own address, intercept valuable items, and use stored payment information for further fraud. Victims typically discover the breach only when an expected parcel never arrives or when they notice a changed account address they did not set.
DHL itself is not at fault in these attacks — the compromised passwords came from other services. However, using a unique, strong password for your DHL account and enabling two-factor authentication closes the door to credential-stuffing attempts entirely.
How this scam works on the DHL brand
Attackers purchase or freely download credential lists from dark-web forums and run automated tools that test each pair against dhl.com. Successful logins are flagged, and the attacker (or a buyer of the access) logs in manually to change the delivery address, redirect active shipments, and note any stored cards.
In some cases the attacker orders high-value goods on a linked account, redirects existing incoming packages, or sells access to the compromised DHL account on underground marketplaces where buyers harvest the stored personal details for further identity fraud.
Victims often receive a genuine DHL notification about a profile change they did not make — an address update or a new device login — and this is frequently the first signal that credentials have been stuffed.
Common red flags
- DHL account notification about an address change, password reset, or new device login you did not perform
- Expected parcel shows as delivered but you never received it
- Your DHL account address has changed to an unfamiliar location
- You use the same email and password for DHL as you do for other sites that have been breached
- You receive a login verification code you did not request
- Orders appear in your DHL account that you did not place
- Saved payment card has been charged for an unrecognised transaction
How to protect yourself
- Use a unique password for your DHL account — do not reuse passwords from any other site
- Enable two-factor authentication on your DHL MyAccount where available
- Check haveibeenpwned.com to see if your email has appeared in known breaches
- If you receive an unexpected DHL account alert, log in directly at dhl.com immediately to review and change your credentials
- Review your saved addresses and remove any you do not recognise
- Contact DHL customer service if you suspect your account has been compromised
- Monitor your linked payment cards for unauthorised charges
How to report it
- Report account compromise directly to DHL customer service via dhl.com/contact
- Email [email protected] if you believe phishing was used alongside the attack
- In the US, report to the FTC at reportfraud.ftc.gov
- In the UK, report to Action Fraud at actionfraud.police.uk
- Contact your bank immediately if a stored payment card was charged
Frequently asked questions
Is DHL responsible if my account was accessed through a credential-stuffing attack?
In a credential-stuffing attack, the compromised password came from a different service you used, not from DHL. DHL is not responsible for breaches at other companies. Using a unique password for DHL and enabling two-factor authentication protects you regardless of what other breaches occur.
How do attackers get the login pairs they test?
Large collections of email-password combinations are leaked whenever other websites suffer data breaches. These lists are sold or shared on dark-web forums and then tested automatically against popular platforms. Billions of such pairs are in circulation.
Can I tell if my DHL account has been accessed by an attacker?
DHL sends notification emails for certain account changes. You can also review your account's recent activity by logging in at dhl.com. Any unrecognised address changes, device logins, or shipment redirections are warning signs.