Credential Stuffing Attacks Delivered via Email
How attackers use leaked email-password combinations from data breaches to access accounts at scale, often announcing their success through extortion emails.
Part of: Credential Stuffing Attacks
Last reviewed: 8 June 2026
Credential stuffing is an automated attack where username and password combinations leaked in one data breach are systematically tried against other services, exploiting the widespread habit of password reuse. Millions of credential pairs harvested from breaches of retail sites, forums, or gaming platforms are loaded into automated tools and tested against email providers, banking apps, and social networks.
Victims typically become aware of the attack through two routes: a notification email from a service saying their account was accessed, or an extortion email claiming the attacker has accessed their accounts and demanding payment to avoid further harm. Both follow from the same root cause — a reused password exposed in a breach.
How this scam works on email
An email arrives claiming the sender has accessed your accounts, browsing history, or camera, and demands cryptocurrency payment to suppress the alleged recording. The email includes your actual password — sourced from a publicly available breach database — to prove the claim and create panic. In many cases the intrusion claimed is entirely fabricated; the attacker merely bought your leaked credentials and composed a threatening message.
In genuinely successful stuffing attacks, the account breach itself is silent. The victim notices unusual activity — sent messages they did not write, purchases they did not make — weeks or months after the initial access.
Common red flags
- Extortion email includes a real password you have used in the past
- Email claims to have accessed your device's camera and demands payment in cryptocurrency
- Login alert from a service saying your account was accessed from an unrecognised location
- Accounts you rarely check show activity you did not perform
- Password found in a breach notification (haveibeenpwned.com) that you still use elsewhere
How to protect yourself
- Check all your email addresses on haveibeenpwned.com to identify breached accounts
- Use a unique strong password for every service — a password manager makes this practical
- Enable multi-factor authentication on every account that offers it
- If you receive a sextortion email, do not pay — the recording is almost certainly fabricated
- Immediately change any password mentioned in an extortion email and any other accounts where it is reused
How to report it
- Report sextortion emails to the FBI (US) at ic3.gov or Action Fraud (UK)
- Forward the email to the National Cyber Security Centre (UK) at [email protected]
- Report to the FTC at reportfraud.ftc.gov if you suffered financial loss
Frequently asked questions
Why does the extortion email contain my actual password?
Scammers purchase databases of email-password pairs leaked in past breaches. The inclusion of a real password makes the email seem credible. However, in almost all cases, no device access has occurred — the attacker simply knows one of your old passwords.