Credential Stuffing

Credential Stuffing is an automated attack where stolen username/password pairs from data breaches are tested against other websites, exploiting the common practice of password reuse across services.

How It Works

When credentials are leaked from one site, attackers compile lists and automatically test them against many other services. Since users often reuse passwords, a significant percentage of credentials work on other sites.

Attack Flow

1. Attacker obtains breach data (millions of credentials)
   Source: Dark web, paste sites, breach databases

2. Tools automatically test credentials
   - Distributed across proxies/IPs to avoid blocking
   - Solve CAPTCHAs using services
   - Mimic legitimate traffic patterns

3. Valid logins collected for:
   - Account takeover
   - Data theft
   - Fraud
   - Resale

Scale of the Problem

• Billions of credentials available from past breaches
• Success rates typically 0.1-2%
• At scale, even low success rates yield thousands of accounts

Indicators of Attack

• Spike in failed login attempts
• Traffic from proxy services or data centers
• Login attempts for non-existent users
• Geographic anomalies in login patterns

Defenses

• Multi-factor authentication (most effective)
• Check passwords against breach databases
• Rate limiting and CAPTCHA
• Device fingerprinting
• Anomaly detection on login patterns

See Also

• Password Spraying
• Session Hijacking