Credential Stuffing Attacks

Credential stuffing is a large-scale automated account takeover technique that exploits the widespread human habit of reusing the same username and password across multiple online services. Attackers obtain vast databases of stolen credentials — typically sourced from previous data breaches at companies that stored passwords poorly — and use automated software to test those pairs against many popular websites and apps simultaneously.

Unlike brute-force attacks, which try random password guesses, credential stuffing uses real credentials that were previously valid somewhere. This makes the success rate significantly higher, even though it is still a small percentage of attempts in absolute terms. When services hold hundreds of millions of accounts, even a one-percent success rate against a leaked credential list of ten million pairs means tens of thousands of compromised logins.

Victims typically have no warning that an attempt is in progress. The attack is silent and automated, and the first sign of compromise is usually a notification that their account has been accessed from an unfamiliar device or location — often after the attacker has already extracted value from the account. Because the attack exploits credential reuse rather than any weakness in the target service's own security, the responsibility for defence lies primarily with the account holder.

The process begins with a credential list: a file containing millions of email-address-and-password pairs compiled from one or more data breaches. These lists are traded and sold in criminal markets and are updated continuously as new breaches occur.

Attackers load the list into automated software — known as credential stuffing tools — that submits login requests to target websites in a distributed manner, often routing traffic through residential proxy networks to disguise the volume and avoid IP-based rate limiting.

When a valid combination is found on a target service, the tool flags it. The attacker then logs in manually or through further automation to extract value: check the account balance, drain a stored gift card balance, place orders with saved payment methods, access stored personal documents, or use the account as a launchpad for further fraud. High-value accounts — banking, cryptocurrency exchanges, e-commerce with stored cards — are prioritised.

Many credential stuffing campaigns are run against dozens of services simultaneously, maximising the return from a single leaked dataset. The scale of some attacks means that a breach at a relatively obscure service years ago can result in compromises at major financial institutions today.

Password reuse is extremely common because managing unique passwords for every service is cognitively demanding without a dedicated tool. People naturally gravitate toward memorable passwords that they can use repeatedly, especially for services they consider low-risk — not realising that a breach at any one of them exposes all accounts where the same credentials were used.

Automation makes the attack economically viable: the marginal cost of testing an additional credential pair is near zero once the tooling is set up. Residential proxy networks make IP-based blocking difficult. And because the credentials being tested were genuinely valid at some point, sophisticated fraud-detection systems trained on 'normal' user behaviour have to work harder to distinguish a credential stuffer from a legitimate user.

A person used the same email and password combination for their email, a streaming service, and their supermarket loyalty account. The streaming service suffered a data breach several years earlier. An automated tool tested the stolen credentials against a major retailer and found a match. The attacker logged in, changed the delivery address, and placed an order using the stored payment method. The person only discovered the compromise when they received an order confirmation for items they had not bought.

New sign-in to your [service] account from [device] in [location]. If this wasn't you, secure your account at [link].

Your order [order number] for [amount] has been confirmed. Your delivery address is [unfamiliar address].

Your loyalty points balance has changed. [Number] points were redeemed on [date] at [location].

Your [service] account password was recently changed. If you did not make this change, click here.

Check whether your email address has appeared in known data breaches using a reputable breach-notification service. If your credentials appear in a breach, change the password on the affected service immediately and on every other service where you used the same password.

Log into your important accounts and review the recent activity or login history section. Look for logins from unrecognised locations, devices, or IP addresses. Many services send email alerts for new device logins — enable these if the option exists.

If you have been using the same password on multiple services for a long time, treat it as compromised and rotate it. A password manager makes it practical to maintain unique, strong passwords across hundreds of accounts.