What is Credential Stuffing?

How Credential Stuffing Works

The raw material for credential stuffing is breach data — the usernames and passwords exposed in data breaches. This data is bought and sold on criminal marketplaces, compiled into massive databases, and is increasingly available through free data leak sites. Collections of breach data totaling billions of username and password pairs are accessible to attackers. The attack process is automated: credential stuffing tools test breach credentials against target services at scale, rotating through proxy networks to evade IP-based rate limiting, distributing requests to avoid triggering account lockout policies, and automatically logging successful authentications for collection.

Why It Works at Scale

Password reuse is pervasive. Studies consistently show that 65% or more of people reuse passwords across multiple accounts. When a breach exposes 50 million credentials from a retail loyalty program, the majority of those users have used the same password on other services — their bank, their Microsoft 365 account, their healthcare portal. The attacker does not know which credentials are reused where; the automation tests them all and collects the successes.

Defending Against Credential Stuffing

Multi-Factor Authentication

MFA is the most effective defense against credential stuffing because a valid username and password is insufficient for authentication when a second factor is required. An attacker who successfully matches a stuffed credential still cannot complete authentication without the second factor. This is one context where even SMS-based MFA provides significant protection — the attacker has the password but not the phone.

Breached Credential Detection

Services like Have I Been Pwned provide APIs that allow authentication systems to check whether credentials being used for login appear in known breach databases. Microsoft Entra ID's Password Protection feature blocks passwords that appear in known breach data. Proactively checking existing credentials against breach databases and requiring password resets for compromised credentials prevents stuffing attacks using credentials that were breached from your own or other services.

Credential Stuffing in the Enterprise

Credential stuffing against enterprise applications uses the same mechanics as consumer account targeting, with additional attack paths unique to enterprise environments. Legacy enterprise applications without modern authentication support may not be compatible with MFA, creating bypass paths. Service accounts with static credentials that are never rotated and that appear in breach data from years of developer reuse across personal and professional contexts represent persistent credential stuffing targets. And the volume of enterprise credentials in breach data increases with every major breach of enterprise software vendors — Okta, LastPass, and similar platforms whose customer credential data has been exposed in incidents.

Real-World Example: The Credential Stuffing Economy

In 2023, researchers identified a credential stuffing operation that had processed over 3 billion login attempts against a single financial services firm over 18 months. The operation used rotating residential proxy networks to appear as legitimate user traffic, throttled request rates to avoid triggering lockout policies, and targeted the firm's mobile application specifically because its authentication controls were less restrictive than the web application. The attackers successfully authenticated to over 300,000 accounts during the campaign before detection. The credential lists used were primarily from consumer service breaches that had occurred 2-5 years earlier, demonstrating that breach credential value persists long after the initial incident.