Credential Stuffing: How It Works and How to Stop It
What credential stuffing is, how the attack chain works, and the defenses that actually reduce risk.
What Is Credential Stuffing?
Credential stuffing is the automated attempt to log in using stolen username and password pairs from one data breach against many other websites, exploiting the fact that people reuse passwords across services.
OWASP classifies it as a subset of brute force attacks, but with an important distinction: rather than guessing passwords, the attacker already has real, working credentials from a breach elsewhere and is testing where else they work.
Anatomy of a Credential Stuffing Attack
- Acquire credentials. The attacker obtains a list of usernames and passwords from a breach, phishing campaign, or dump site.
- Automate login attempts. Tools test the stolen credentials against many sites at scale, including social media, marketplaces, and web apps.
- Harvest valid logins. Successful logins confirm reused credentials, which the attacker can drain, exfiltrate data from, or resell.
A more evasive variant, sometimes called hybrid credential stuffing or password spraying, adjusts each password slightly, changing "Winter2025" to "Winter2026," to slip past simple reuse detection.
Why It Matters
Publicly documented breach chains illustrate how far this spreads: password reuse connected the Sony (2011), Yahoo (2012), and Dropbox (2012) breaches, where credentials stolen in one incident were used to test logins at completely unrelated companies. Roughly 22% of breaches trace back to credential abuse, which is why OWASP's Top 10:2025 groups this risk under Authentication Failures (A07).
How to Defend Against It
Multi-factor authentication is the single most effective control, since it stops a valid password from being enough on its own. Beyond that, checking new and changed passwords against known-breached credential lists, rate-limiting login attempts, and using consistent error messages that do not reveal which part of a login failed all reduce the attack's success rate.
Frequently Asked Questions
What is credential stuffing?
Credential stuffing is the automated use of stolen username and password pairs from one breach to attempt logins on other websites, exploiting password reuse.
How is credential stuffing different from brute force attacks?
Brute force guesses passwords through trial and error. Credential stuffing uses already-known, breached username and password pairs, which makes it far more efficient.
What is the best defense against credential stuffing?
Multi-factor authentication is the primary countermeasure, since it prevents a correct password alone from granting access. Rate limiting and breached-password checks add further protection.
Which OWASP Top 10 category covers credential stuffing?
It falls under Authentication Failures (A07) in the OWASP Top 10:2025, which covers weaknesses that let attackers compromise user identities.
What is a hybrid credential stuffing attack?
A hybrid or password-spray variant slightly modifies known passwords, such as incrementing a year, to bypass simple reuse detection while still testing likely variations.
Related Reading
Find Out If Your Login Flows Can Be Stuffed
Get a pentest that tests authentication defenses the way a real attacker would, with proof of exploit for every finding.
Free AI Pen Test