Credential Stuffing

What is Credential Stuffing?

Credential stuffing is an automated attack in which an adversary uses large lists of username and password pairs — obtained from prior data breaches, infostealer malware logs, or dark web marketplaces — and systematically tests them against login interfaces to find accounts where the same credentials were reused. Unlike brute force attacks that guess passwords, credential stuffing uses real, previously valid credentials from other services. The attack exploits the widespread practice of password reuse across multiple accounts. Rapid7 found that over 56% of all compromises in early 2025 resulted from stolen credentials where no MFA was in place — making credential stuffing one of the most scalable, low-effort attack techniques available.

Description

The credential stuffing attack lifecycle begins with credential acquisition. Nearly two billion credential pairs were indexed from infostealer malware combo lists in 2025 alone, and major breach databases are regularly bought and sold on criminal forums. Attackers feed these lists into automated tools that test thousands of logins per minute across target applications, rotating through proxy networks and adjusting request timing to evade rate limiting and bot detection. Successful logins are flagged for manual verification — these represent accounts where the user reused a breached password on the target service. The downstream consequences of credential stuffing vary by application: account takeover, unauthorized purchases, data theft, or use of the compromised account as a staging point for further attacks. In enterprise environments, credential stuffing against corporate applications, VPNs, and cloud identity and access management portals can yield initial access for more sophisticated intrusions. Traditional multi-factor authentication (MFA) blocks credential stuffing — a reused password from a breach is useless without the second factor. However, adversary-in-the-middle (AiTM) attacks have evolved to bypass MFA, meaning MFA alone is not a complete defense against credential-based attacks in 2026.

Usage and Examples

A financial services company runs an e-commerce platform and a member portal. Over 72 hours, their WAF logs show 4.7 million login attempts from 38,000 distinct IP addresses — classic distributed credential stuffing pattern. 1,200 of those attempts succeed because those users have recycled passwords from a prior breach at a retail site. The attacker accesses account history, payment methods, and personal data for 1,200 customers before the attack is detected by velocity anomaly alerts. Mitigations include mandatory MFA enrollment, bot detection at login endpoints (CAPTCHA, behavioral analysis, device fingerprinting), credential monitoring services that alert when user email addresses appear in known breach data, and password breach detection at login (checking entered passwords against known breached credential databases using the HaveIBeenPwned API or similar).

How Does This Relate to Penetration Testing?

During application penetration testing and external network assessments, Evolve Security testers evaluate authentication endpoints for credential stuffing susceptibility: missing rate limiting, absent bot detection, lack of MFA enforcement, and absence of account lockout policies. These findings are often high-severity because they represent exploitable pathways that require no vulnerability — just a breached credential list that is freely available. Authentication security testing also evaluates password cracking resistance for captured hashes and the strength of password policies that influence how quickly credentials can be compromised after a breach. Evolve Security's Application Penetration Testing and external assessments evaluate authentication controls against credential stuffing and related account takeover techniques.