Credential Stuffing: How To Detect And Prevent It (Updated)

Credential stuffing is the simplest, cheapest, and most successful attack on consumer accounts today. The attacker takes a list of email-password pairs leaked from one breach and replays them against every other login form on the internet. Because most people reuse passwords, a small percentage of attempts succeed, and at internet scale that small percentage is enormous.

It accounts for the majority of account takeover that hits consumer products. It is also one of the most preventable, if you build the right layers.

How a credential-stuffing attack works

1. Source the list. Past breach corpora are freely available. The largest collections contain billions of pairs.
2. Spin up infrastructure. Residential proxy networks rotate IPs to evade rate limits.
3. Use a stuffing tool. Open-source tools handle CAPTCHA solving, header rotation, and result parsing.
4. Run. Hit the target login endpoint at scale. Even a 0.1% success rate on a million attempts is a thousand compromised accounts.
5. Monetise. Working accounts are sold by category. Loyalty points, store credit, streaming subscriptions, financial accounts.

How to detect it

Stuffing leaves fingerprints. The ones worth alerting on:

• Login attempts from data-centre IPs or known residential proxy ranges.
• A single user agent making attempts against many different accounts.
• Spike in failed logins followed by a successful login from the same IP range.
• Unusual geographic distribution of login attempts.
• Successful logins immediately followed by sensitive actions (password change, payout, profile edit).
• High ratio of "user not found" responses, which signals list testing rather than legitimate traffic.

The layered defences that actually work

No single control stops a determined attacker. The stack that does:

• Breached-password detection. Reject any password that appears in a known breach corpus at login or rotation. This single control removes most of the attack surface.
• MFA for high-risk roles, and offered to everyone. Make it the default for any account holding money or sensitive data.
• Passkeys. A passkey-enrolled account is immune to credential stuffing by construction.
• Risk-based authentication. Score every sign-in attempt on IP reputation, device fingerprint, time-of-day, and behaviour. Step up to MFA or deny on elevated risk.
• Bot management. Detect and rate-limit automated traffic before it reaches the login endpoint.
• CAPTCHA, sparingly. Modern CAPTCHAs are solvable by attackers and annoying to users. Use as a step-up, not a default.
• Generic error messages. Never tell the attacker whether the email exists. "Email or password incorrect," not "user not found."
• Monitoring and lockout. Per-account and per-IP velocity limits. Soft lockouts that require MFA to recover, not hard lockouts that enable denial-of-service.

What to do after a successful stuffing event

• Force-revoke active sessions for affected accounts.
• Require password reset and MFA re-enrolment from a verified channel.
• Audit and reverse any sensitive actions taken during the attacker's session.
• Communicate clearly with affected users. The breach was not yours, but the takeover happened on your platform.

The user-side piece

Educate users to use a password manager and unique passwords. Make it as easy as possible to enrol passkeys. The structural fix to credential stuffing is the end of password reuse, and you can lead users there one prompt at a time.

Credential stuffing will not disappear while password reuse exists, but it is one of the few high-volume threats with a clean defensive playbook. Run the playbook.