What is credential stuffing in one sentence?

Credential stuffing is the automated replay of username and password pairs stolen from one site against many other sites, betting that people reuse the same password.

How is it different from a brute-force attack?

Brute force guesses many passwords for one account. Credential stuffing tries one known real password per account across many accounts, so it rarely trips simple per-account lockouts.

Why does credential stuffing work?

Because people reuse passwords. When one site is breached, those exact credentials unlock the same person's accounts everywhere else they reused them, often years later.

What is the single best defense?

Multi-factor authentication. Even a valid stolen password fails the second factor, which neutralizes the overwhelming majority of credential-stuffing attempts.

How can a site detect credential stuffing?

Watch for spikes in failed logins, many accounts hit from few addresses, bot-like timing, and known-breached passwords. Bot management, rate limiting, and breached-password checks all help.

Glossary · Security

What is Credential Stuffing?

Credential stuffing is an attack that takes username and password pairs leaked from one company's breach and replays them, by the millions and with automation, against the login pages of unrelated services. It works for one depressing reason: people reuse passwords. When a stolen password from a years-old breach still unlocks the same person's account somewhere else, the attacker walks straight in — no exploit, no malware, just a valid login.

It is not brute force

The distinction matters for defense. A brute-force attack guesses many passwords against a single account and trips lockouts fast. Credential stuffing does the opposite: it tries one known-real password against each of many accounts, so any individual account sees only a single failed attempt and classic per-account lockouts never fire. Spread across a botnet of thousands of addresses, the traffic blends into normal login noise. The attacker is not guessing — they are testing credentials that were genuinely valid somewhere else, which is why even a low success rate translates into a large number of compromised accounts at scale.

Where the credentials come from

The raw material is the steady stream of data breaches. Billions of username and password combinations circulate in compiled lists, sold and traded and eventually dumped for free. Attackers feed these lists into automated tools — sometimes purpose-built “account checker” software — that distribute the attempts across many addresses to evade detection. Because passwords are reused for years, a leak from one service stays useful against others long after the original breach is forgotten. The economy is mature: lists, tooling, and proxy networks are all available off the shelf, which keeps the cost of an attack low.

What a takeover costs you

A compromised account is rarely the end goal — it is a foothold. Attackers drain stored value and loyalty points, harvest saved payment details and personal data, commit fraud under the victim's name, or use the trusted account to launch phishing against the victim's contacts. For the business, the fallout includes chargebacks, support load, regulatory exposure, and eroded trust. And because the login itself was valid, fraud-detection systems that key on “is this a real account?” can be slow to notice that the person behind it is not the real owner.

How to stop it

The single most effective control is multi-factor authentication: a valid stolen password fails at the second factor, which defeats the overwhelming majority of attempts. Beyond that, check new and changed passwords against known-breached lists and block reuse. Add bot management and intelligent rate limiting that look at patterns across accounts rather than per account. Watch for the telltale signature — a surge of failed logins, many accounts probed from few sources, machine-like timing. Passwordless options such as passkeys remove the reusable secret entirely and are the strongest answer of all.

At QUANT LAB

Authentication is where credential stuffing lives or dies, so it is where we focus. The applications we build support MFA out of the box, check passwords against breach corpora, and apply cross-account rate limiting and bot detection at the login edge rather than relying on naive per-account lockouts. In a web application penetration test we probe exactly these defenses — looking for login and password-reset flows that lack throttling, leak whether an account exists, or can be automated at scale. Stopping account takeover is mostly about getting the unglamorous login plumbing right.

The reuse problem behind it all

Credential stuffing exists because a single password protects many doors. Every layer of advice — unique passwords, a password manager, MFA everywhere, and ultimately passkeys — chips away at that root cause. For a business, you cannot force good habits on every user, so you design around the assumption that some passwords are already compromised. Defenses that hold up even when the password is known — a second factor, anomaly detection, breached-password blocking — are the ones that age well, the same principle that makes verification-based controls so durable against social engineering.

Long-form deep-dives that use this term

All posts

Related terms

Is your login resilient to account takeover?

We build login flows with MFA, breached-password checks, and bot defense, and test them like an attacker. Book a 30-minute call.

Web app pentest