Credential Stuffing Account Fraud

Credential stuffing is an automated attack in which criminals use large lists of username and password combinations — typically obtained from previous data breaches — to attempt logins on other websites. Because a significant proportion of internet users reuse passwords across multiple sites, even a breach of a low-security platform can yield credentials that work on high-value targets like banks, online retailers, and payment services.

Unlike brute-force attacks that guess passwords, credential stuffing uses real, previously valid credentials. This makes the attempts harder for security systems to distinguish from legitimate login attempts, especially when the attacker uses residential proxy networks to distribute the traffic across many IP addresses.

The fraud that follows account compromise ranges from immediate financial loss (draining payment wallets, cashing out loyalty points, placing orders for physical goods to redirect addresses) to identity data harvesting (recording stored personal information for use in further fraud). Even accounts with no stored payment method have value, as they may contain personal data or serve as email addresses for password reset on linked accounts.

Attackers begin with a 'combo list' — a compiled file of email address and password pairs harvested from one or more previous breaches. These lists are sold on criminal markets and can contain hundreds of millions of records. Automated tools cycle through the list, submitting login attempts at scale against target websites.

Successful logins are logged automatically, and the attacker reviews the 'hit' accounts. They look for stored payment cards, credit balances, gift card codes, loyalty points, or shipping addresses preloaded with real information. For valuable accounts — those with high balances or premium memberships — they change the registered email address to lock out the genuine owner before exploiting the account.

For less valuable accounts, they may simply harvest stored personal data (date of birth, address, phone number) to enrich their identity databases or to pass verification questions at other institutions. The victim often has no idea their account was accessed until they notice a missing balance, receive a fraud alert, or attempt to log in and find their email address has changed.

Password reuse is extremely common because humans cannot memorise dozens of unique complex passwords. Credential stuffing exploits this directly: a breach of any platform you use, however minor, potentially unlocks your accounts elsewhere. Attackers use residential proxy networks to avoid IP-based blocking, and their tools rotate credentials slowly enough to evade velocity-based detection. The low cost of automation means even a 0.5% success rate on a list of ten million records yields fifty thousand compromised accounts.

[Retailer]: a new sign-in to your account was detected from [Location] on [Device]. If this was not you, secure your account now.

Your [Airline] account email has been changed to [New Email]. If you did not make this change, contact our security team at [Number].

[Gaming Platform]: [Amount] of in-game currency has been transferred from your account. If this was not you, please reset your password.

Have I Been Pwned alert: your email address [Address] was found in the [Breach Name] data breach. Your password may be compromised.

[Bank]: an attempt was made to access your online banking from an unrecognised device. We have locked the session. Please verify at [URL].

Use a password manager to generate and store a unique random password for every account. This means that if one site is breached, no other account is compromised. Enable multi-factor authentication (MFA) wherever it is offered — preferably using an authenticator app rather than SMS. Check your email addresses at HaveIBeenPwned.com periodically to see if your credentials have appeared in known breaches and change the affected passwords immediately.