Credential Stuffing Attacks Signalled via SMS
How SMS notifications — both legitimate and fraudulent — are exploited during credential stuffing campaigns to either assist attackers or misdirect victims.
Part of: Credential Stuffing Attacks
Last reviewed: 9 June 2026
Credential stuffing attacks — where stolen username and password combinations are tested across multiple services — intersect with SMS in two important ways. First, when a stuffing attack succeeds, the compromised account often sends a legitimate SMS login notification to the genuine account holder. Second, attackers who intercept or phish these SMS verification codes can bypass SMS-based two-factor authentication and complete account takeovers.
The SMS channel is both the alert system and a vulnerability in credential stuffing attacks. Understanding how this works helps consumers respond appropriately when they receive unexpected login notifications — rather than either ignoring them or clicking fraudulent links impersonating such notifications.
How this scam works on SMS
A victim whose credentials were exposed in a data breach may receive an SMS stating 'New login detected on your account from [location].' This is often a genuine notification from the compromised service. Attackers separately send fraudulent SMS messages mimicking this format, designed to harvest the recipient's account credentials or MFA codes by directing them to a phishing page.
A targeted attack combines the two: the attacker performs a real login attempt, triggering the legitimate SMS verification code. Simultaneously, a fraudulent SMS is sent claiming there is 'suspicious activity' and asking the recipient to call a number or visit a link to secure their account. Victims who comply either approve the attacker's login or provide their verification code directly.
Common red flags
- SMS about a new login or suspicious activity from a service you did not just access
- Follow-up SMS with a link to 'secure your account' that does not match the service's official domain
- Multiple login attempt notifications arriving in quick succession from multiple services
- SMS asking you to call a number to verify your identity — legitimate services handle this through in-app flows
- Login notification references a device or location you recognise but you did not initiate the login
How to protect yourself
- If you receive an unexpected login notification SMS, change your password immediately without clicking any links in the SMS
- Go directly to the service's website by typing the URL to review active sessions
- Use unique passwords for every service — a password manager helps manage this
- Replace SMS two-factor authentication with an authenticator app where possible
- Check your credentials against data breach databases like HaveIBeenPwned.com
How to report it
- Report the suspicious SMS to 7726 (SPAM) on your mobile
- Report to Action Fraud (UK) or IC3 (US) if an account was taken over
- Report the phishing SMS to the organisation being impersonated
Frequently asked questions
Why am I receiving login alerts for accounts I did not access?
Your username and password are likely in a leaked database being tested by automated credential stuffing tools. Change your password on the affected service immediately and ensure you are not using the same password anywhere else.
Is SMS two-factor authentication safe against credential stuffing?
SMS MFA adds a layer of protection but can be bypassed through SIM swapping, SS7 interception, or phishing the OTP code. Authenticator apps or hardware keys provide stronger protection for high-value accounts.