My IP Help

Credential Stuffing

An attack that replays username-password pairs from prior data breaches against other services, exploiting password reuse.

Last updated:

What is credential stuffing?

Credential stuffing is an automated attack in which the attacker takes a list of leaked username-password pairs — usually from a public breach corpus like "Collection #1" — and submits them against the login endpoints of unrelated services. The premise is password reuse: a fraction of users who had [email protected] / hunter2 breached on a forum in 2016 still use that same password on their bank, email provider, or retailer today. Even a 0.1% success rate on a 10-million-pair list yields 10,000 compromised accounts.

How it differs from brute force

Unlike a brute force attack, credential stuffing does not guess passwords — it replays known-valid ones. That makes it:

  • Faster — one attempt per pair, not thousands
  • Harder to block by rate limiting alone — successful logins look normal
  • Harder to prevent with password complexity rules — the password was complex, it just leaked somewhere else

Attackers distribute the submissions across a botnet or proxy network so no single IP trips per-IP rate limits.

How defenders respond

Effective defenses combine IP reputation (traffic from datacenter ASNs and known abuse ranges is suspicious), device fingerprinting, CAPTCHA challenges on anomalous logins, and — most importantly — multi-factor authentication, which breaks the attack even when the password is correct. Monitoring your domain against breach-intelligence feeds catches credential stuffing in progress by spotting logins that match recently-leaked credentials. Running source IPs through an IP abuse report checker helps correlate the attack with known threat actors.

Frequently Asked Questions

From public breach corpora that aggregate decades of leaked username-password pairs from compromised websites — the most famous are "Collection #1" through "Collection #5" (released 2019), "Anti Public", "Exploit.in", and the more recent RockYou2024 compilation. These are freely shared on dark-web forums and even on clearnet GitHub mirrors. Specialized tools like SentryMBA and OpenBullet then automate the replay against any login form.
Because the attacker only has the password — they do not have the second factor (TOTP code, push approval, hardware key, or passkey). Even when the password matches, the login fails at the MFA challenge. SMS-based MFA is weaker because phishing kits and SIM swapping can intercept the code, but app-based TOTP, push notifications, and hardware-backed authenticators effectively eliminate credential stuffing as an attack vector.
Not on its own. Attackers distribute the submissions across thousands of residential proxies, VPNs, and botnet nodes, so no single IP triggers a per-IP threshold. Effective rate limiting has to combine IP reputation, device fingerprinting, behavioral anomaly detection (sudden spikes of failed logins per account, not per IP), and adaptive CAPTCHAs. Pure per-IP limits catch only naive attackers.
Common signals: a flood of "failed login" emails from a service you use, an "unusual sign-in attempt" alert from Google or Microsoft, your account briefly locked out for too many bad passwords, or a successful login from an unfamiliar location and device. If you get any of these, change the password immediately, enable MFA if it isn't already on, and check whether the same password is used elsewhere — that account is at risk too.
Credential cracking (also called password spraying or password cracking) tries to guess passwords against known usernames — either by spraying common passwords ("Spring2024!", "Password1") across many accounts or by attacking captured password hashes offline. Credential stuffing replays already-valid pairs from breaches; cracking generates the password from scratch. Stuffing is much faster (one attempt per pair) and harder to detect because successful logins look normal.
Back to glossary