Credential Stuffing

Security+ 🏆 • Threats ⚠️ • Authentication & Authorization 🔐 • Difficulty: free

Definition

Credential stuffing is an attack where criminals use large lists of stolen username and password pairs and automatically try them on other websites and services. It works because many people reuse passwords, so valid credentials from one breach can often be used to access accounts elsewhere.

Examples

A retailer sees thousands of login attempts where the same usernames are tried once each, coming from many different IP addresses.
An attacker uses leaked email and password pairs from an old breach to take over streaming service accounts.

Discover 🔎

Credential stuffing is not about guessing passwords. It is about reusing real passwords that were already stolen somewhere else. Because password reuse is common, attackers can take credential lists from data breaches and try them across many services until they find accounts that work.

This makes credential stuffing an everyday threat for any internet-facing login page. It is automated, it scales, and it is hard to stop with simple blocking because attackers distribute attempts across many devices and IP addresses.

Remember: Credential stuffing uses known stolen passwords. The attacker is not guessing, they are testing reuse.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.