Credential stuffing
Automatically trying username-and-password combinations leaked from one data breach across many other websites, exploiting people's habit of reusing passwords.
Also known as: password stuffing, credential reuse attack
Last reviewed: 1 June 2026
When a website is breached and its user database stolen, lists of email addresses and passwords appear on criminal forums and the dark web. Credential stuffing is the automated process of testing those leaked pairs against hundreds of other services — banking apps, streaming platforms, e-commerce sites — in the hope that users reused the same password.
Success rates are typically low (often under 1%) but when millions of pairs are tested, even a small hit rate yields significant numbers of compromised accounts. This is why using a unique, randomly generated password for every account — managed by a password manager — is so important.
Credential stuffing is distinct from password cracking (attempting to reverse-engineer a hash) and brute-force attacks (guessing passwords randomly); it uses real credentials that are known to have worked somewhere.