Credential stuffing is an automated attack that tries email and password pairs leaked in previous breaches against sites where the victim never intended to reuse that credential. It works because most people use the same password across services and because the supply of leaked credential lists (the so-called combo lists) on underground forums is enormous and cheap. It does not require discovering anything new: it just exploits what has already been exposed since the last major public breach.
This guide explains what credential stuffing specifically is, how an attack is set up operationally (combos, tooling, proxies, anti-CAPTCHA), how it differs from brute force and password spraying, the best-known public cases without mythologising them, how it is detected from the defensive side and what measures have real impact preventing account takeover (ATO).
What credential stuffing is
Credential stuffing is the automated use of credentials leaked in one breach against other services different from the source one, assuming a percentage of users will have reused the same password. If the 2012 LinkedIn breach exposes the pair john@company.com:Summer2012!, the attacker will throw that pair at banking portals, retailers, streaming platforms, personal email and corporate SaaS hoping that the same John reused the password elsewhere.
The attacker breaks no new crypto, exploits no vulnerability in the target server. They simply leverage the human pattern of reusing passwords. That is why this category does not show up as a CVE in NVD: the problem is not in the code, it is in the usage pattern.
Credential stuffing does not break doors: it tries stolen keys on other houses to see which ones open. The victim server sees login attempts with credentials that are valid for an existing account.
Typical success rates in large campaigns hover between 0.1% and 2% depending on source and vertical. Sounds low, but applied to a combo list of several million credentials it yields tens of thousands of compromised accounts at almost zero operational cost for the attacker.
How it works technically
The operational chain of a credential stuffing attack has well-defined parts and a mature underground market around each one.
Combo lists and sources
A combo list is a plain text file with thousands or millions of pairs in user:password (or email:password) format. Main sources are historical public data breaches (LinkedIn 2012, Adobe 2013, MySpace 2008, Yahoo 2013-2014, Collection #1 to #5 released in 2019, modern compilations) plus more recent breaches sold on forums like BreachForums before its takedown and its successors.
Combos are enriched, filtered by target domain, sorted by success probability and bought and sold segmented. A combo focused on "ES online banking users" sells for more than a generic one.
Specialised tooling
Sentry MBA was historically the dominant tool: it loaded combos, configured login templates and managed proxies. Its modern successor is OpenBullet (and derivatives like BlackBullet) with C# scripting for complex flows with CSRF tokens, redirects or JavaScript challenges. Snipr is popular in gaming forums. Public "config" repositories exist for Netflix, Spotify, Fortnite, Disney+ and well-known retailers.
Proxy rotation
Without IP rotation any mediocre WAF stops the attack through rate limiting. Attackers use pools of residential proxies bought from providers like Bright Data or from grey operators selling access to botnets of compromised SOHO routers. Every attempt exits through a different IP, indistinguishable from legitimate residential traffic.
Anti-CAPTCHA services
For sites protecting login with reCAPTCHA or hCaptcha there are services (2Captcha, Anti-Captcha, CapMonster) that solve challenges through cheap human operators for a few dollars per thousand solves. CAPTCHA as the sole defence drops to near zero effectiveness against a motivated attacker.
Validation and monetisation
Validated credentials (hits) get enriched with account data (balance, points, payment method) and monetised: direct sale of streaming accounts, draining of retail loyalty points, fraud with stored card or lateral escalation in corporate SaaS to prepare BEC.
Credential stuffing vs brute force vs password spraying
The three families get conflated in media coverage. Key differences:
| Feature | Credential stuffing | Brute force | Password spraying |
|---|---|---|---|
| Credential origin | email:password pairs leaked from breaches | Local generation or generic dictionaries | Short list of common passwords |
| Target | One specific account per pair | One specific account | Many accounts with few passwords |
| Volume per account | 1 attempt per valid pair | Hundreds or thousands of attempts | 1 or 2 attempts per account |
| Lockout detection | Does not trigger (1 attempt per account) | Triggers easily | Does not trigger |
| Main defence | MFA plus breach checks | Lockout plus complexity | Account-based rate limiting |
| Cost for the attacker | Very low | High against complex passwords | Low |
The big advantage of credential stuffing for the attacker is that it flies under the radar of classic lockouts: only the combination believed correct for that account is tried, so the per-user fail counter does not trip.
Why it works
Three realities sustain the model and none has been fully solved.
Humans reuse passwords. Year after year surveys show a majority admits to reusing passwords across services. Remembering dozens of unique strong passwords without a tool is unfeasible, and password managers remain a minority outside technical profiles.
MFA is still not universal. Banking, public administration and enterprise SaaS have moved far, but services where MFA is optional or skippable still exist. And within MFA-enabled accounts, a share uses SMS (vulnerable to SIM swap) instead of TOTP, push or FIDO2.
Password managers in the minority. Measured use of dedicated managers (1Password, Bitwarden, KeePass, browser managers) sits at low percentages of the total. The majority still remembers and therefore reuses passwords. Until the pattern shifts at aggregate scale, credential stuffing keeps its fuel.
Documented public cases
Without mythologising them, concrete references help size the problem.
23andMe (October 2023) suffered a credential stuffing incident compromising individual accounts. The genealogy tree feature exposed data of millions of linked relatives. It led to class actions and a significant financial settlement.
Roku declared in 2024 two successive campaigns affecting hundreds of thousands of accounts, with fraudulent purchases using stored payment methods. The company ended up forcing MFA for all users after the second incident.
Dunkin Donuts suffered a documented campaign against its DD Perks loyalty programme in 2018-2019. Attackers drained points and the company faced legal action from the New York Attorney General with financial penalty.
Disney+ at launch (November 2019) had a wave of compromised accounts put up for sale on forums even before the first week of service.
British American Tobacco and other loyalty-programme cases show the same pattern: the higher the value of redeemable points, the more attractive the account as ATO target.
Most targeted platforms
The most attractive verticals combine immediately monetisable value and low defensive friction.
Retail and eCommerce with loyalty. Points convertible into gifts or discounts easy to sell. Accounts with stored cards allow direct fraud if it passes verification.
Streaming (Netflix, Disney+, Spotify, HBO). Accounts subleased or sold well below official price, underground market with high volume.
Gaming (Fortnite, Roblox, Steam, League of Legends). Inventories of skins, virtual currency or characters of real value with very liquid secondary market.
Financial services. Digital banks, neobanks, crypto wallets, payment platforms. Direct monetisation but also strong defensive friction (hard MFA, second factor on independent channel).
B2B SaaS. CRM, ERP, collaboration tools, code repositories. Value lies in lateral access to corporate data or in preparing BEC against customers and suppliers.
Defensive detection
Detecting credential stuffing in real time demands combining signals across multiple layers; a single measure is never enough.
WAF with per-IP and per-account rate limiting. Rules limiting attempts per IP in short windows are the first barrier. Critical are per-account rules, because an attacker with a large proxy pool easily bypasses the per-IP limit.
Behavioural analytics (UEBA). Platforms that profile typical user behaviour (hour, devices, locations) and raise alerts when the login deviates. Especially useful in B2B SaaS and banking.
Device fingerprinting. Persistent cookies, browser identifiers, hardware. A valid login from a device never seen before may require additional verification. FingerprintJS, ThreatMetrix, iovation cover this niche.
Velocity checks. Detecting physical impossibilities: same user logging in from Spain and Brazil five minutes apart. Unfeasible for humans, frequent in credential stuffing.
Login failure spike alerts. Monitoring the overall failed-login rate. A campaign triggers an anomalous pattern the SOC can investigate even when fine-grained rules do not yet block it. Best practice to integrate it into the corporate SIEM.
Geo-IP anomaly. Accounts that historically logged in only from Spain and suddenly receive attempts from dozens of countries within minutes. Clear sign of a combo list being worked against that tenant.
Robust prevention
Detection helps you respond; prevention reduces surface. Measures with proven impact, by priority:
Mandatory MFA. The control with the best cost/benefit ratio. TOTP (Google Authenticator, Authy, Microsoft Authenticator) is the defendable minimum. App-managed push adds usability. FIDO2 with hardware key (YubiKey, Titan) is the gold standard against credential stuffing and phishing combined.
Passkeys and WebAuthn. The migration is maturing. They replace the password with a cryptographic key bound to the device and anchored with local biometrics. Apple, Google and Microsoft push adoption. An account migrated to passkey stops being vulnerable to credential stuffing.
Password breach checks at login. Integrating the Have I Been Pwned API (k-anonymity) in the password change flow and optionally at login. If the password appears in known breaches, force change. Free API that respects the password's privacy.
Invisible CAPTCHA. hCaptcha and reCAPTCHA Enterprise only present challenges when the risk score is high. Reduces legitimate-user friction. Not a complete solution but raises attacker cost.
Dedicated bot management. Cloudflare Bot Management, Akamai Bot Manager, F5 Distributed Cloud Bot Defense apply fingerprinting, headless browser detection and JavaScript sensors to distinguish automation. High cost but measurable impact under constant siege.
Sane lockout policies. Locking after X failures protects against brute force but opens user-denial-of-service (an attacker can lock legitimate accounts deliberately). Recommended design: limit per IP as well as per account, lockout with exponential backoff, unlock through verified channel.
Risk-based authentication. The system scores the attempt (geo, device, hour, pattern) and demands extra factors only when the score rises. Adopted by banking, Microsoft Entra ID, Okta and most modern IDPs.
Post-incident ATO response
When an account falls, the response makes the difference between contained incident and prolonged litigation.
Immediate mandatory password reset for all affected accounts. Reset also of the second factor where appropriate, especially with suspicion of SIM swap or device tampering.
Invalidation of all active sessions. Any session token issued before the incident must become useless. JWT with short TTL and central revocation is good design practice.
Customer notification. Where personal data is compromised and risk is high, in Spain notification to the AEPD enters GDPR timelines (72 hours). Notification to the affected party is mandatory when personal risk is high.
Forensics and pattern hunt. Review logs to understand the real scope (how many other accounts were tried, what combo was used, what IPs participated). Share IOCs where appropriate and document the lesson learned.
Regulatory fit
Credential stuffing impacts three key frameworks in the Spanish and European context.
GDPR Article 32. Requires appropriate technical and organisational measures. The AEPD has sanctioned companies for absence of MFA and anti-brute-force controls when the attack materialised. The reasoning is direct: if MFA is industry standard and not applied, the measures were not appropriate.
NIS2 Article 21(g). Demands access management measures, expressly including multi-factor authentication in critical systems. Companies in essential or important sectors must justify MFA deployment and anomalous-access detection. More context in the NIS2 audit guide.
PCI DSS version 4.0, requirements 8.4 and 8.5. Mandatory MFA for administrative access to the cardholder data environment and, since March 2025, also for any access from outside the entity's network. Non-compliance exposes to brand sanction and liability transfer for fraud.
Beyond pure legal compliance, cyber-insurance policies increasingly demand MFA controls and ATO detection as a condition to maintain coverage.
Frequently asked questions
Does MFA fully eliminate credential stuffing?
It does not eliminate it but neutralises it for most campaigns. MFA with TOTP, push or FIDO2 makes the stolen credential insufficient on its own. Residual vectors remain (SIM swap against SMS MFA, MFA fatigue, advanced OAuth phishing) but the critical mass of the problem disappears. It is the best defensive ROI available.
Do passkeys replace the password?
In the medium term the industry direction goes that way. In the short term both models coexist. Accounts migrated to passkey stop being vulnerable to credential stuffing because there is no password to reuse. Adoption is uneven and recovery flows must be designed carefully not to reintroduce the problem through the back door.
Is my company a target?
If you have login exposed to the internet, yes. The attacker does not select victims: they throw the combo at hundreds of domains in parallel. The only thing that changes between verticals is monetisation priority. Assuming constant pressure lets you design controls accordingly.
Is integrating the Have I Been Pwned API legal?
Yes. The service maintained by Troy Hunt exposes a public API with k-anonymity that allows querying whether a password appears in known breaches without revealing the full password. The client sends the first five characters of the SHA-1 hash and receives matching suffixes. Free use with attribution.
Is CAPTCHA still a valid defence?
Useful but not enough on its own. Human anti-CAPTCHA services solve challenges for dollars per thousand. Invisible CAPTCHA based on signals (reCAPTCHA Enterprise, hCaptcha Enterprise) raises attacker cost and friction. Valid as an additional layer, never as the only barrier.
How much does defending against it cost?
Depends on size and asset value. For an SME, enforcing MFA in critical SaaS and breach checks at password change is practically zero cost plus hours of work. For a platform with its own login and high traffic, a dedicated bot management solution runs from several thousand to tens of thousands of euros annually. The correct comparison is against the expected cost of an ATO with regulatory notification, customer refunds and reputational damage.
Related resources
- What is pharming: complementary credential-theft technique via DNS manipulation, frequent precursor to modern combo lists.
- How to avoid phishing: main source of fresh email:password pairs feeding combo lists.
- What is social engineering: context on the human factor sustaining password reuse.
- What is ransomware: typical impact when the compromised account belongs to a profile with lateral privileges.
- What is PKI: cryptographic foundation of passkeys, FIDO2 and the move toward passwordless authentication.
- What is spoofing: family of techniques associated with phishing and credential capture in earlier phases.
ATO defence with Secra
At Secra we tackle credential stuffing defence on three fronts: audit of the current login state (presence and robustness of MFA, session management, breach checks, WAF rules at the authentication layer), controlled account-takeover testing inside Red Team projects to validate whether controls detect real campaigns with synthetic combos, and roadmap design toward passkeys and risk-based authentication when the customer is ready to migrate. If you want to understand the real exposure of your platform to automated ATO, reach us through contact or check our managed cybersecurity catalogue.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.