Safeguard
Vulnerability Analysis

What is Credential Stuffing

Credential stuffing uses billions of breached passwords to hijack accounts at scale. Learn how it works, real breaches it caused, and how to stop it.

Priya Mehta
DevSecOps Engineer
6 min read

Credential stuffing is an automated attack in which criminals take usernames and passwords stolen from one breach and try them, at scale, against completely unrelated websites and apps. It works because people reuse passwords: Google's 2019 Harris Poll survey found 65% of people reuse the same password across multiple accounts, and attackers exploit that habit with bots that can attempt tens of thousands of logins per minute. The raw material is abundant — ReliaQuest's 2022 "From Exposure to Takeover" report tallied more than 24 billion username-password pairs circulating on criminal forums, most harvested from unrelated third-party breaches, not from the sites being attacked. Akamai's State of the Internet research recorded 193 billion credential stuffing attempts globally in 2020 alone, with financial services and gaming as top targets. Unlike a targeted hack, credential stuffing is a numbers game: attackers don't need to breach your systems if your users' passwords were already breached somewhere else.

How does credential stuffing actually work?

Credential stuffing works by feeding lists of previously breached username-password pairs into automated tools that replay those logins against a target's authentication endpoint until some fraction succeed. Attackers acquire "combo lists" — plaintext or cracked credential dumps — from dark web marketplaces or breach aggregation sites like the "Collection #1" dump that exposed 773 million unique email addresses in 2019. A stuffing tool then cycles through the list, routing each login attempt through a rotating pool of residential proxies and randomized device fingerprints to evade IP-based rate limiting and bot detection. Because password reuse rates hover around 60-65% according to multiple industry surveys, even a modest success rate of 0.1-2% on a list of a million credentials yields thousands of valid account takeovers. Successful logins are then harvested for loyalty points, stored payment cards, personal data, or resold as "verified" credential pairs at a markup.

How is credential stuffing different from brute-force or password spraying?

Credential stuffing differs from brute-force and password spraying in that it uses real, previously-valid credentials instead of guessed ones. Brute-force attacks try many password guesses against one known username, relying on weak or short passwords and typically triggering lockouts quickly. Password spraying flips that — it tries one or a few common passwords (like "Winter2024!") against many usernames, staying under per-account lockout thresholds. Credential stuffing needs no guessing at all: the attacker already has a username-password pair that worked somewhere else, so the only question is whether the victim reused it. This is why credential stuffing bypasses traditional lockout defenses so effectively — from the target system's perspective, each login attempt looks like someone typing their own correct-looking credentials, not a string of failures.

What tools do attackers use to automate credential stuffing?

Attackers automate credential stuffing with purpose-built tools such as OpenBullet, SentryMBA, SNIPR, and STORM, which are freely available on forums and support "config" files pre-tuned to specific target login forms. These tools integrate with CAPTCHA-solving services (some advertised for as little as $1 per 1,000 solves) and residential proxy networks that route traffic through real consumer IPs to blend in with legitimate user traffic. Config marketplaces sell ready-made setups for specific brands — streaming services, retailers, banks — so an attacker with no coding skill can point a purchased config and a combo list at a target and start harvesting valid logins within minutes. Akamai and HUMAN Security have both documented "credential stuffing as a service" ecosystems where the entire attack chain, from proxies to combo lists to output parsing, is rented rather than built.

How big of a threat is credential stuffing in 2026?

Credential stuffing remains one of the highest-volume attack categories tracked by web security vendors, consistently ranking alongside DDoS and scraping bots in annual threat reports. The FBI's Internet Crime Complaint Center and multiple financial-sector ISACs have flagged credential stuffing as a leading cause of account takeover fraud, with retail and financial services reporting bot traffic that at peak periods exceeds 90% of total login attempts on unprotected endpoints, according to figures cited in Akamai and F5 threat research. The 23andMe breach disclosed in October 2023 is a clarifying case: attackers didn't breach 23andMe's core systems at all — they stuffed credentials leaked from other services against roughly 14,000 accounts, then used the platform's own "DNA Relatives" feature to scrape data on an estimated 6.9 million connected profiles. That single incident shows how a low-cost, low-skill attack technique can produce breach-scale consequences without a single line of custom exploit code.

What are real-world examples of credential stuffing attacks?

Real-world credential stuffing incidents include the 2023 23andMe breach described above, PayPal's January 2023 disclosure that credential stuffing compromised roughly 35,000 accounts by matching leaked credentials against PayPal login pages, and Norton LifeLock's December 2022 breach in which attackers used stuffing to access approximately 925,000 accounts, enabling password manager vault access for a smaller subset. The North Face disclosed in 2022 that credential stuffing compromised around 194,905 customer accounts on its e-commerce site. Chick-fil-A confirmed in early 2023 that a credential stuffing campaign led to unauthorized access on roughly 71,000 customer accounts, some of which had stored funds drained via the mobile app's rewards balance. In each case, the companies' own systems weren't breached first — the attackers imported valid credentials stolen elsewhere and relied on password reuse to walk in the front door.

How can organizations detect and prevent credential stuffing?

Organizations detect and prevent credential stuffing by combining behavioral bot detection, leaked-credential monitoring, and authentication hardening rather than relying on any single control. Effective measures include enforcing multi-factor authentication (which the FBI and CISA both cite as blocking the vast majority of automated account-takeover attempts even when the password is correct), deploying device fingerprinting and velocity-based rate limiting that flags improbable login patterns (e.g., the same account attempted from 40 IP addresses in 60 seconds), and proactively checking new and existing user credentials against known-breached password databases such as the Have I Been Pwned Pwned Passwords API. CAPTCHA and JavaScript challenge pages raise the cost of unsophisticated bots but are routinely defeated by CAPTCHA-solving services, so mature programs pair them with server-side anomaly detection that looks at login velocity, impossible-travel geolocation, and credential reuse signals rather than trusting front-end challenges alone.

How Safeguard Helps

Credential stuffing is often a downstream consequence of upstream software supply chain weaknesses — leaked secrets baked into container images, vulnerable auth or session-management libraries, and exposed login endpoints that never got rate-limiting patches. Safeguard's reachability analysis identifies which of your authentication-adjacent dependencies carry exploitable, network-reachable vulnerabilities versus which are dead code, so security teams can prioritize the CVEs that actually expose login flows instead of chasing every CVSS score. Griffin AI triages the resulting alerts and secret-exposure findings in context, cutting through noise to surface the credential-handling issues most likely to enable account takeover. Continuous SBOM generation and ingest give teams a live inventory of every auth library, token handler, and password-hashing component across their stack, and Safeguard's auto-fix PRs ship the dependency bumps and configuration fixes directly into the codebase — closing the exposure window before it becomes the next stuffing target.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.