Credential stuffing is a cyberattack where attackers use large lists of stolen username/password pairs (from previous data breaches) to automatically attempt logins across multiple websites and applications.
⚙️ How Does It Work?
Attackers obtain breach databases (often sold on dark web) containing billions of credential pairs. Automated bots test these credentials at scale against target sites. Since many users reuse passwords, a significant percentage of attempts succeed.
📍 Where Is It Used?
Consumer-facing applications, e-commerce, banking, SaaS platforms — any service accessible via the internet with username/password login.
💡 Real-World Example
A streaming service suffers 50,000 account takeovers in one weekend. Investigation reveals credential stuffing using 2M credentials from a separate social media breach. 3% succeeded because users reused passwords. MFA and passwordless authentication would have prevented all of them.
🔗 Related Terms
Stay Ahead in Identity Security
Get weekly IAM, PAM & IGA insights via Identity Pulse.
Subscribe to Identity Pulse →