The Root Cause — Password Reuse
Credential stuffing is one of the most widespread and damaging automated attacks on the internet today — and it only works because of one habit: reusing the same password across multiple sites. When a breach occurs at any one of those sites, the leaked credentials immediately become a skeleton key for every other account where you've used that password.
Attackers have studied this behaviour for years. They know that a significant proportion of any given breach database will contain credentials valid elsewhere. They don't need to break your encryption — they just need to try your leaked password somewhere else. This is the fundamental mechanic that makes credential stuffing so profitable and so easy to scale.
How Credential Stuffing Works
The attack follows a well-defined automated process:
- Attackers obtain leaked username and password pairs — these are freely available in "combo lists" circulated on dark web forums, Telegram channels, and paste sites.
- The credentials are loaded into specialised tools such as Sentry MBA, STORM, or OpenBullet — software built specifically for this purpose with modules for hundreds of popular websites.
- The tools distribute the login attempts across rotating proxy networks, making the traffic appear to originate from different locations and devices.
- Successful logins are automatically flagged and separated — the attacker ends up with a curated list of accounts that are actively accessible right now.
- Those accounts are then sold, accessed for fraud, or used as pivot points for further attacks.
The entire process — from obtaining a combo list to having a catalogue of working accounts — can take a matter of hours. The scale is staggering: thousands of login attempts per minute across hundreds of websites simultaneously.
The Scale of the Problem
The raw materials for credential stuffing attacks are essentially inexhaustible. There are billions of credential pairs freely available online, accumulated from decades of data breaches large and small. Collections like "Collection #1" through "#5" released in 2019 alone contained over 2.2 billion unique combinations.
Attacks are fully automated, geographically distributed, and cost almost nothing to run once the infrastructure is established. The economics are strongly in the attacker's favour — even a 0.1% success rate against a billion-record combo list yields a million compromised accounts. And because old breaches are continuously recycled into new attacks, the problem compounds over time rather than fading.
Why It's Different from Brute Force
A common misconception is that credential stuffing is just another form of brute-force attack. It isn't. Credential stuffing uses real credentials that were already proven to work somewhere. This distinction matters enormously for defences.
Rate limiting and account lockout policies are tuned to detect the pattern of random guessing — many failed attempts in quick succession from a single source. Credential stuffing bypasses this because the attempts are distributed across many IPs, the credentials are valid, and the success-to-attempt ratio looks much closer to normal user behaviour. Many attacks go completely undetected by the target platform until the damage is done.
High-Value Targets
Not every compromised account is equally valuable. Attackers prioritise services where access translates quickly into money:
- Streaming services (Netflix, Spotify, Disney+) — accounts are sold cheaply but in volume; buyers avoid paying for their own subscriptions.
- Retail accounts — gift card balances and stored payment methods are immediately cashable.
- Airlines and hotel loyalty programmes — frequent flyer miles and points are converted to flight bookings or gift cards and resold.
- Banks and financial services — the highest-value target; access enables direct fraud.
- Gaming accounts — rare items, in-game currency, and high-level accounts command real money on secondary markets.
How to Protect Yourself
The defences against credential stuffing are well understood and highly effective when applied consistently:
- Use a unique password for every site — this single step eliminates your exposure to credential stuffing entirely. A password manager makes this practical.
- Enable MFA on every account that offers it — even when an attacker has the correct username and password, they cannot pass the second factor.
- Monitor for unusual login notifications — logins from new locations or devices are a common signal of account compromise.
- Use BreachWatcher to be alerted the moment your credentials surface in a breach — giving you time to act before your data enters a combo list.
BreachWatcher monitors for your credentials appearing in breach databases — giving you the earliest possible warning before a credential stuffing campaign can reach your accounts.