{"id":2946,"date":"2026-04-06T10:15:00","date_gmt":"2026-04-06T10:15:00","guid":{"rendered":"https:\/\/getdarkscout.com\/blog\/?p=2946"},"modified":"2026-04-06T06:24:39","modified_gmt":"2026-04-06T06:24:39","slug":"what-is-credential-stuffing","status":"publish","type":"post","link":"https:\/\/getdarkscout.com\/blog\/what-is-credential-stuffing\/","title":{"rendered":"What Is Credential Stuffing? (And Why It Might Already Be Happening to Your Accounts)"},"content":{"rendered":"\n

You probably know that data breaches<\/a> happen all the time. Big companies get hacked, usernames and passwords get stolen, and people are told to change their passwords.<\/p>\n\n\n\n

Most people do that once and then forget about it.<\/p>\n\n\n\n

That’s exactly the window criminals need.<\/p>\n\n\n\n

Because those stolen credentials don’t just sit there. They get sold on the dark web, bundled into massive lists, and fed into automated tools that try them against hundreds of websites simultaneously. Your email and password from a breach at one site gets tested against your bank, your email provider, your shopping accounts, your work systems.<\/p>\n\n\n\n

That’s credential stuffing. And it is one of the most common, most damaging, and most preventable cyberattacks happening at scale right now.<\/p>\n\n\n\n

<\/span>What Is Credential Stuffing?<\/span><\/h2>\n\n\n\n

Credential stuffing is a cyberattack where criminals take stolen username and password combinations from one data breach and use automated bots to test them across other websites and services.<\/p>\n\n\n\n

The attack works because of one deeply human habit: password reuse.<\/p>\n\n\n\n

Most people use the same password across multiple accounts. When one site gets breached and that password leaks, every other account using the same password becomes vulnerable instantly. The attacker doesn’t need to hack anything new. They just need your old password and a list of websites to try it on.<\/p>\n\n\n\n

The Verizon 2025 Data Breach Investigations Report<\/strong><\/a> found that credential stuffing accounted for 19% of all authentication attempts on the SSO provider logs analysed. Compromised credentials were the initial access vector in 22% of all confirmed breaches, making it the most common entry point for the third consecutive year.<\/p>\n\n\n\n

This isn’t an edge case. It is the most common way attackers get in.<\/p>\n\n\n\n

<\/span>How Credential Stuffing Actually Works<\/strong><\/span><\/h2>\n\n\n\n
\"How<\/figure>\n\n\n\n

The process is more systematic than most people realise. Here’s how it plays out from start to finish.<\/p>\n\n\n\n

Step 1: Getting the Credentials<\/h3>\n\n\n\n

Attackers collect the stolen credentials from a range of sources. Most of the time, attackers are purchasing data from breach data repositories within dark web forums and marketplaces, where vast numbers of user names and password combinations are sold off in bulk after major data breaches. The hackers can also extract login credentials from infostealer malware logs, which will steal passwords without the users knowledge from devices that are infected with them.<\/p>\n\n\n\n

In June 2025, cybersecurity researchers revealed that a record 16 billion login credentials<\/strong><\/a> had been exposed online in what is believed to be the largest password leak to date, compiled from at least 30 exposed datasets covering major platforms including Apple, Google, Facebook, GitHub, and Telegram.<\/p>\n\n\n\n

This is referred to as a ‘combolist’ within criminal circles and are regularly traded and updated by the black market, where stolen credentials can change hands in minutes.<\/p>\n\n\n\n

Step 2: Running the Attack<\/h3>\n\n\n\n

Once a hacker has obtained this list, they will not waste any time using a program or themselves to try each and every password. Attackers use special automated software programs known as OpenBullet or SilverBullet, which automatically ‘stuff’ the username and password information into numerous websites simultaneously and can try thousands of login attempts per minute.<\/p>\n\n\n\n

Modern credential stuffing tools are sophisticated. They can rotate through different IP addresses to avoid detection, mimic realistic browser behaviour, solve basic CAPTCHA challenges, and distribute attempts slowly enough to stay under rate-limiting thresholds. The attack looks like normal traffic until accounts start getting taken over.<\/p>\n\n\n\n

Akamai recorded 26 billion credential stuffing attempts per month in 2024. One streaming service alone saw 773 million credential tests in a single year, which produced nearly 2 million successful logins.<\/p>\n\n\n\n

Step 3: Exploiting Successful Logins<\/h3>\n\n\n\n

When the attack is successful, the attacker has achieved their goal, and they will then proceed to perform various actions on the account that they have gained access to depending on what account type they have accessed.<\/p>\n\n\n\n

Financial account holders will lose cash or will find fraudulent purchases have been made. For email accounts, it would seem plausible that the password on other services could be reset and subsequently used as a phishing account. Loyalty accounts would most likely see a rapid use of accumulated points, and for business accounts, it may only be an entry to get to another system further within the organization, using the hacked account for greater access and control.<\/p>\n\n\n\n

The damage compounds fast.<\/p>\n\n\n\n

<\/span>The Numbers Behind the Damage<\/span><\/h2>\n\n\n\n

Credential stuffing might sound like a low-level nuisance. The financial reality tells a very different story.<\/p>\n\n\n\n

IBM’s Cost of a Data Breach report found that credential stuffing attacks caused on average $4.81 million worth of damage per breach. <\/p>\n\n\n\n

Account takeover fraud, which credential stuffing directly fuels, reached $2.9 billion in losses in 2025 and has become the fastest-growing fraud type. Global account takeover losses are projected to hit $17 billion by the end of 2025.<\/p>\n\n\n\n

29% of US adults, roughly 77 million people, experienced an account takeover in 2024. Individual victims lose an average of $180, with some losing up to $85,000.<\/p>\n\n\n\n

And it’s not just individuals who suffer. The business consequences include help desk costs from mass account lockouts, infrastructure costs from bot traffic consuming server resources, regulatory fines when customer data is exposed, and long-term reputational damage.<\/p>\n\n\n\n

80% of consumers say they will not return to a site after experiencing an account takeover there. For businesses with customer accounts, a single credential stuffing campaign can drive permanent customer churn.<\/p>\n\n\n\n

<\/span>Real-World Examples<\/span><\/h2>\n\n\n\n

Credential stuffing is far from a theoretical concept. It’s something that the most recognisable brands on the planet have experienced.<\/p>\n\n\n\n

Nintendo (2020): Credential stuffing resulted in 160,000 user accounts being compromised, allowing hackers to use stolen credentials, make unauthorised purchases, and view account information.<\/p>\n\n\n\n

The North Face (2025): VF Corporation informed customers about a credential stuffing attack at its North Face e-commerce store, with hackers using compromised user credentials to access customer accounts and exfiltrate personal information.<\/p>\n\n\n\n

Dunkin’ Donuts (2019): There have been many credential stuffing attacks targeting its DD Perks loyalty programme, with the accounts being traded on the dark web.<\/p>\n\n\n\n

Roku (2024): There was a credential stuffing campaign launched at Roku\u2019s platform, allowing it to facilitate unauthorised purchases, and according to Reuters, this resulted in a 2% stock price drop.<\/p>\n\n\n\n

Every one of these instances is the same: the credentials are stolen elsewhere, tested automatically, and scaled up. They work because people reuse passwords.<\/p>\n\n\n\n

<\/span>Credential Stuffing vs Brute Force vs Password Spraying<\/span><\/h2>\n\n\n\n

These three attacks often get confused. They’re related but they work differently.<\/p>\n\n\n\n

Credential stuffing<\/strong> uses real, known username and password combinations stolen from actual breaches. The attacker already has valid credentials and is testing whether they work elsewhere.<\/p>\n\n\n\n

Brute force attacks<\/strong> try random combinations of characters to guess a password. They don’t rely on any stolen data. They’re slower, noisier, and easier to detect because of the sheer volume of failed attempts.<\/p>\n\n\n\n

Password spraying<\/strong> takes a small number of commonly used passwords and tests them against a large number of accounts. It avoids triggering lockouts by trying each password slowly across many accounts rather than hammering one account repeatedly.<\/p>\n\n\n\n

Credential stuffing is the most effective of the three because it uses real data. It doesn’t need to guess. It already knows the answer to half the question.<\/p>\n\n\n\n

<\/span>Why Password Reuse Makes This So Dangerous<\/span><\/h2>\n\n\n\n

The success of credential stuffing depends entirely on one thing: people using the same password across multiple accounts.<\/p>\n\n\n\n

In 2025, 62% of Americans reported reusing passwords, and 52% of login attempts involved leaked credentials.<\/p>\n\n\n\n

The Verizon analysis found that only 49% of a user’s passwords across different services are distinct from each other. That figure is what makes credential stuffing economically viable. Breach one service, and there is roughly a 50% chance the same password works elsewhere. Across millions of accounts, that probability becomes near-certainty.<\/p>\n\n\n\n

Attackers understand this math. A campaign that costs around $300 in tools, credential lists, and botnet access can break even at a 0.006% success rate if each compromised account yields just $50. Most accounts are worth far more than that.<\/p>\n\n\n\n

<\/span>How to Protect Yourself from Credential Stuffing<\/span><\/h2>\n\n\n\n
\"Protect<\/figure>\n\n\n\n

The good news is that the defences against credential stuffing are straightforward. They’re not complicated or expensive. They just require building better habits.<\/p>\n\n\n\n

1. Use a Unique Password for Every Account<\/h3>\n\n\n\n

This is the single most effective thing you can do. If every account has a different password, a breach at one site cannot cascade into other accounts. A password manager makes this practical by generating and storing complex, unique passwords so you don’t have to remember them.<\/p>\n\n\n\n

Our free password generator<\/a> creates strong, random passwords instantly with no account required.<\/p>\n\n\n\n

2. Enable Two-Factor Authentication<\/h3>\n\n\n\n

Even if an attacker has your password, two-factor authentication (2FA) stops them getting in without a second verification step. This single control eliminates the vast majority of credential stuffing attempts. Enable it on every account that supports it, especially email, banking, and work systems.<\/p>\n\n\n\n

3. Check Whether Your Credentials Are Already Exposed<\/h3>\n\n\n\n

You might have credentials circulating on dark web forums right now without knowing it. DarkScout’s free email scan<\/a> checks whether your email address has appeared in known breaches in seconds.<\/p>\n\n\n\n

For ongoing protection, Our dark web monitoring<\/a> continuously watches criminal forums and marketplaces for your credentials, alerting you the moment something appears so you can act before an attacker does.<\/p>\n\n\n\n

4. Watch for Warning Signs<\/h3>\n\n\n\n

Unexpected login notifications from unfamiliar locations, being locked out of accounts you haven’t touched, or seeing activity you don’t recognise are all signs that a credential stuffing attempt may have succeeded. Treat these as emergencies, not curiosities.<\/p>\n\n\n\n

<\/span>What Businesses Can Do<\/span><\/h2>\n\n\n\n
\"What<\/figure>\n\n\n\n

If you run a business with user accounts, credential stuffing is your problem too, not just your customers’.<\/p>\n\n\n\n

Enforce multi-factor authentication.<\/strong> Make it mandatory, not optional, for all accounts.<\/p>\n\n\n\n

Monitor login patterns.<\/strong> Unusual spikes in failed login attempts, logins from unexpected locations, or impossible travel patterns are red flags that need immediate investigation.<\/p>\n\n\n\n

Use rate limiting and bot detection.<\/strong> Slow down or block accounts that experience rapid repeated login failures. Modern bot detection goes further and can identify non-human behaviour patterns in login traffic.<\/p>\n\n\n\n

Check your employees’ credentials.<\/strong> Staff who reuse passwords on work accounts create a direct path into your systems. Dark web monitoring<\/a> services can alert you when employee credentials appear in breach data before attackers use them.<\/p>\n\n\n\n

Notify customers quickly.<\/strong> If you detect a credential stuffing campaign targeting your platform, tell your users immediately so they can change their passwords.<\/p>\n\n\n\n

<\/span>The Bottom Line<\/span><\/h2>\n\n\n\n

Credential stuffing works because most people reuse passwords. That’s it. That’s the entire attack.<\/p>\n\n\n\n

The fix is equally simple: unique passwords and two-factor authentication on every account. It won’t stop every possible threat, but it will stop credential stuffing almost entirely.<\/p>\n\n\n\n

Compromised credentials are the most common way attackers get into systems. They have been for three consecutive years. That trend will not change until the behaviour that enables it changes.<\/p>\n","protected":false},"excerpt":{"rendered":"

You probably know that data breaches happen all the time. Big companies get hacked, usernames and passwords get stolen, and people are told to change their passwords. Most people do that once and then forget about it. That’s exactly the window criminals need. Because those stolen credentials don’t just sit there. They get sold on the dark web, bundled into massive lists, and fed into automated tools that try them against hundreds of websites simultaneously. Your email and password from a breach at one site gets tested against your bank, your email provider, your shopping accounts, your work systems. That’s credential stuffing. And it is one of the most common, most damaging, and most preventable cyberattacks happening at scale right now. What Is Credential Stuffing? Credential stuffing is a cyberattack where criminals take stolen username and password combinations from one data breach and use automated bots to test them across other websites and services. The attack works because of one deeply human habit: password reuse. Most people use the same password across multiple accounts. When one site gets breached and that password leaks, every other account using the same password becomes vulnerable instantly. The attacker doesn’t need to hack anything new. They just need your old password and a list of websites to try it on. The Verizon 2025 Data Breach Investigations Report found that credential stuffing accounted for 19% of all authentication attempts on the SSO provider logs analysed. Compromised credentials were the initial access vector in 22% of all confirmed breaches, making it the most common entry point for the third consecutive year. This isn’t an edge case. It is the most common way attackers get in. How Credential Stuffing Actually Works The process is more systematic than most people realise. Here’s how it plays out from start to finish. Step 1: Getting the Credentials Attackers collect the stolen credentials from a range of sources. Most of the time, attackers are purchasing data from breach data repositories within dark web forums and marketplaces, where vast numbers of user names and password combinations are sold off in bulk after major data breaches. The hackers can also extract login credentials from infostealer malware logs, which will steal passwords without the users knowledge from devices that are infected with them. In June 2025, cybersecurity researchers revealed that a record 16 billion login credentials had been exposed online in what is believed to be the largest password leak to date, compiled from at least 30 exposed datasets covering major platforms including Apple, Google, Facebook, GitHub, and Telegram. This is referred to as a ‘combolist’ within criminal circles and are regularly traded and updated by the black market, where stolen credentials can change hands in minutes. Step 2: Running the Attack Once a hacker has obtained this list, they will not waste any time using a program or themselves to try each and every password. Attackers use special automated software programs known as OpenBullet or SilverBullet, which automatically ‘stuff’ the username and password information into numerous websites simultaneously and can try thousands of login attempts per minute. Modern credential stuffing tools are sophisticated. They can rotate through different IP addresses to avoid detection, mimic realistic browser behaviour, solve basic CAPTCHA challenges, and distribute attempts slowly enough to stay under rate-limiting thresholds. The attack looks like normal traffic until accounts start getting taken over. Akamai recorded 26 billion credential stuffing attempts per month in 2024. One streaming service alone saw 773 million credential tests in a single year, which produced nearly 2 million successful logins. Step 3: Exploiting Successful Logins When the attack is successful, the attacker has achieved their goal, and they will then proceed to perform various actions on the account that they have gained access to depending on what account type they have accessed. Financial account holders will lose cash or will find fraudulent purchases have been made. For email accounts, it would seem plausible that the password on other services could be reset and subsequently used as a phishing account. Loyalty accounts would most likely see a rapid use of accumulated points, and for business accounts, it may only be an entry to get to another system further within the organization, using the hacked account for greater access and control. The damage compounds fast. The Numbers Behind the Damage Credential stuffing might sound like a low-level nuisance. The financial reality tells a very different story. IBM’s Cost of a Data Breach report found that credential stuffing attacks caused on average $4.81 million worth of damage per breach. Account takeover fraud, which credential stuffing directly fuels, reached $2.9 billion in losses in 2025 and has become the fastest-growing fraud type. Global account takeover losses are projected to hit $17 billion by the end of 2025. 29% of US adults, roughly 77 million people, experienced an account takeover in 2024. Individual victims lose an average of $180, with some losing up to $85,000. And it’s not just individuals who suffer. The business consequences include help desk costs from mass account lockouts, infrastructure costs from bot traffic consuming server resources, regulatory fines when customer data is exposed, and long-term reputational damage. 80% of consumers say they will not return to a site after experiencing an account takeover there. For businesses with customer accounts, a single credential stuffing campaign can drive permanent customer churn. Real-World Examples Credential stuffing is far from a theoretical concept. It’s something that the most recognisable brands on the planet have experienced. Nintendo (2020): Credential stuffing resulted in 160,000 user accounts being compromised, allowing hackers to use stolen credentials, make unauthorised purchases, and view account information. The North Face (2025): VF Corporation informed customers about a credential stuffing attack at its North Face e-commerce store, with hackers using compromised user credentials to access customer accounts and exfiltrate personal information. Dunkin’ Donuts (2019): There have been many credential stuffing attacks targeting its DD Perks loyalty programme, with the accounts being traded on the dark web. Roku (2024): There was a<\/p>\n","protected":false},"author":9,"featured_media":2950,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[22],"tags":[21],"class_list":["post-2946","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/getdarkscout.com\/blog\/wp-json\/wp\/v2\/posts\/2946","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/getdarkscout.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/getdarkscout.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/getdarkscout.com\/blog\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/getdarkscout.com\/blog\/wp-json\/wp\/v2\/comments?post=2946"}],"version-history":[{"count":1,"href":"https:\/\/getdarkscout.com\/blog\/wp-json\/wp\/v2\/posts\/2946\/revisions"}],"predecessor-version":[{"id":2951,"href":"https:\/\/getdarkscout.com\/blog\/wp-json\/wp\/v2\/posts\/2946\/revisions\/2951"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/getdarkscout.com\/blog\/wp-json\/wp\/v2\/media\/2950"}],"wp:attachment":[{"href":"https:\/\/getdarkscout.com\/blog\/wp-json\/wp\/v2\/media?parent=2946"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/getdarkscout.com\/blog\/wp-json\/wp\/v2\/categories?post=2946"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/getdarkscout.com\/blog\/wp-json\/wp\/v2\/tags?post=2946"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}