Credential stuffing is one of the most prevalent account takeover techniques: attackers take username/password pairs from data breaches and automatically test them against other websites, banking on the reality that most people reuse passwords across multiple services. Unlike brute force attacks (which guess passwords), credential stuffing uses real credentials that actually work somewhere — making it both effective and difficult to distinguish from legitimate logins.
How Credential Stuffing Works
Step 1: Obtain Breach Data
Breached credential databases are openly traded on dark web markets and forums. A database containing 100 million username:password pairs might sell for $50-200. Major breaches from companies like LinkedIn (2012, 117M accounts), Adobe (2013, 153M), and Collection #1 (2019, 773M) provide an enormous supply of real credentials.
Automated tools continuously combine and deduplicate breach databases. The “ComboLists” that circulate in cybercriminal communities contain aggregated pairs from hundreds of sources.
Step 2: Automate Testing
Tools like Sentry MBA, OpenBullet, and SNIPR allow attackers to:
- Import combo lists
- Configure site-specific “configs” (login form parameters, cookies, user agent rotation)
- Test credentials at scale using residential proxies (to bypass IP-based rate limiting)
- Categorize results: valid login, invalid password, 2FA required, account locked
A single attacker can test millions of credential pairs per day against major services. Hit rates of 0.1-2% are common — meaning 10,000 valid logins from a 1M pair combo list.
Step 3: Monetize Compromised Accounts
Compromised accounts are used for:
- Financial fraud: Bank accounts, PayPal, Amazon for purchases
- Account resale: Netflix, streaming services, gaming accounts sold on markets
- Email access: Pivot to reset other accounts, access sensitive documents
- Identity theft: Social Security numbers, tax fraud
Why It’s Worse Than You Think
Password reuse is epidemic: Studies consistently show 50-65% of users reuse passwords across multiple sites. One breach unlocks accounts on dozens of other services.
Residential proxies make detection hard: Attackers route traffic through legitimate home IP addresses, making login attempts appear to come from normal users in different geographic locations.
Slow and low attacks: Rather than hammering a single account, attackers spread attempts across millions of accounts with low frequency — evading rate-limiting controls.
Credential validation is cheap: Using cloud infrastructure, credential stuffing campaigns can run continuously for pennies per thousand checks.
High-Profile Examples
- Okta breach (2022): Threat actors used credential stuffing as part of their initial access chain
- T-Mobile (2023): Credentials from previous breaches used to access customer accounts
- Streaming services: Netflix, Hulu, and Disney+ accounts routinely stuffed and resold
- Financial institutions: Banks report millions of credential stuffing attempts monthly
How to Check If You’re Affected
HaveIBeenPwned.com: Enter your email to see which breaches include your credentials.
Firefox Monitor: Integrates with HIBP, sends alerts when new breaches include your email.
Password managers: Bitwarden, 1Password, and Dashlane have breach monitoring that alerts when saved passwords appear in breach databases.
Defenses for Users
Use Unique Passwords for Every Site
This is the only fully effective defense against credential stuffing. If each site has a unique password, a breach at one site reveals credentials that work nowhere else.
Use a password manager (Bitwarden, 1Password, KeePassXC) to generate and store unique 20+ character passwords. You only need to remember one master password.
Enable Multi-Factor Authentication (MFA)
Even if an attacker has your correct username and password, MFA stops them:
- TOTP apps (Google Authenticator, Aegis): Time-based codes that expire every 30 seconds
- Hardware keys (YubiKey): Physical device that must be present — highest security
- Push notifications: Approve sign-ins on your phone
Avoid SMS 2FA when possible — SIM swapping can bypass it.
Use Email Aliases
With services like SimpleLogin or AnonAddy, each site gets a unique email alias. This provides an additional layer: attackers can’t use breach databases to link your accounts.
Defenses for Organizations
Credential Breach Monitoring
Subscribe to HaveIBeenPwned Enterprise API or SpyCloud to receive alerts when your users’ credentials appear in breach databases — proactively forcing password resets before attackers try them.
Behavioral Analysis and Anomaly Detection
Detect stuffing campaigns by monitoring:
- Failed login rate spikes
- Unusual geographic distribution of login attempts
- Multiple accounts accessed from similar IP ranges
- High volume of logins from specific ASNs (cloud providers, known proxy networks)
CAPTCHAs and Bot Detection
Cloudflare Turnstile, reCAPTCHA v3, and hCaptcha add friction for automated logins without impacting legitimate users. Credential stuffing tools can bypass basic CAPTCHAs but at added cost and complexity.
Risk-Based Authentication
Flag logins that match unusual patterns (new device, new country, unusual time) for additional verification — step-up authentication triggers MFA for suspicious logins even if credentials are correct.
Account Lockout (Carefully)
Low-threshold lockouts (3-5 attempts) frustrate credential stuffing but also enable denial-of-service against legitimate users. Use longer lockouts (15-30 minutes after 10 attempts) or CAPTCHA escalation rather than hard lockouts.
Credential stuffing is a volume game — attackers rely on weak defenses and password reuse. Unique passwords + MFA eliminates it as an attack vector for individual users; monitoring and behavioral controls are the enterprise defense.