You changed your password after the LinkedIn breach in 2016. You thought you were safe. But you kept using the same password on a gaming forum, a news site, a shopping app. Those sites were also breached, quietly, without major news coverage. Now all those email and password combinations are sitting in a file that attackers download for free. And they are running them against every major platform automatically, right now, around the clock.
This is credential stuffing. It is not hacking in any sophisticated sense. It is just systematically trying stolen logins until something works. And because most people reuse passwords, it works far more often than it should.
What is credential stuffing?
Credential stuffing is an automated attack where an attacker takes a large list of stolen username and password pairs from past data breaches and tries them against other websites and services. The attacker is not guessing passwords. They already have the real ones. They are just testing whether you used the same password somewhere else.
The attack is fully automated. Tools like Sentry MBA, OpenBullet, and SilverBullet are freely available and designed specifically for this purpose. An attacker can configure one of these tools with a list of 10 million credentials, point it at a target website, and walk away. The tool handles everything it rotates through proxies to avoid IP blocking, solves basic CAPTCHAs, and reports back which logins succeeded.
Brute force attacks guess random passwords until one works. Credential stuffing uses real passwords that actually belonged to real people. The success rate is dramatically higher because the attacker is not guessing they are replaying credentials that worked somewhere. A 0.1% success rate on 10 million credentials means 10,000 successful account takeovers from a single list.
How a credential stuffing attack runs step by step
The attacker downloads a combo list a text file containing millions of email and password pairs harvested from past breaches. These are freely available on dark web forums and Telegram channels. Premium lists with fresher data cost a few hundred dollars. Free lists with older data are available to anyone who looks.
The attacker configures a credential stuffing tool with the combo list, a list of residential proxy IPs to rotate through (to avoid detection), and a "config" file that tells the tool how to interact with the specific target website what the login page looks like, what a successful login response looks like, what a failed one looks like.
The tool starts submitting login attempts at scale thousands per minute, spread across hundreds of proxy IPs to stay under detection thresholds. Each attempt uses a real email and password from the combo list. Most fail. The ones that succeed are flagged and saved to a separate "hits" file.
Successful logins are sold as "account logs" on dark web markets, used directly to drain balances or steal stored payment methods, or used to send spam from legitimate email accounts. Retail account hits go for $1 to $10. Bank account hits and crypto exchange logins go for hundreds. Streaming service accounts are bundled and sold cheaply in bulk.
Where the credential lists come from
Every major breach produces raw data that eventually ends up in credential lists. The journey from a breach to a combo list usually takes weeks to months. The breached company may not even know they were hacked for months. By the time they notify users, the data has already circulated.
A combo list is a plain text file, one credential per line, formatted as email:password. A single file might contain 50 million lines. Attackers deduplicate and merge lists from multiple breaches to create "master" combo lists. The largest known combo list, called Collection 1, contained over 2.7 billion unique pairs when it surfaced in 2019. Lists this size can be downloaded in minutes.
The most damaging combo lists come from breaches where passwords were stored in plain text or with weak hashing. When LinkedIn was breached in 2012, passwords were stored with SHA-1 hashing, which was cracked within days. When RockYou was breached in 2009, 32 million passwords were stored in plain text. Both lists are still in active use today because people still reuse those passwords.
DataLeakz monitors breach databases and credential lists in real time. Find out what attackers already know about you.
The real scale of the problem
Credential stuffing is not a niche threat. It is the dominant form of account takeover. Akamai, which processes a significant portion of global internet traffic, recorded 193 billion credential stuffing attempts in 2023. That is 6,100 attempts per second, every second of every day.
Some of the largest account takeovers in recent history were credential stuffing attacks. The 2020 Nintendo breach affected 160,000 accounts taken over using credentials from other breaches, not from Nintendo's own systems. Spotify has disclosed multiple credential stuffing incidents. DraftKings lost $300,000 to credential stuffing in 2022. In each case the attackers did not break into the company. They just used passwords that worked elsewhere.
Credential stuffing is not targeted. Attackers are not after you specifically. They are running every credential in the list against every platform simultaneously. Your account gets tested because your email is in the list, not because someone chose to go after you. This is actually worse โ there is no way to avoid being in the list once a breach happens. The only defence is making sure that when the credential is tested, the password no longer works.
How to make credential stuffing useless against you
This is the complete and total defence against credential stuffing. If every account has a different password, a breach of one service gives an attacker credentials that do not work anywhere else. Use a password manage. Bitwarden, 1Password, or Dashlane โ to generate and store unique passwords. You only need to remember one master password.
Easy ยท highest impact ยท eliminates the attack entirelyPasskeys are cryptographic credentials that cannot be stuffed. Even if an attacker has your email and an old password, a passkey login does not use either of them. Google, Apple, Microsoft, GitHub, and hundreds of other services now support passkeys. Enable them on every account that offers them, starting with your email provider.
Easy ยท one-time setup ยท future-proofEven if an attacker has the right password, 2FA blocks them from completing the login. Use an authenticator app rather than SMS where possible. Authenticator app codes cannot be intercepted the same way SMS codes can. Any 2FA is dramatically better than none โ even SMS 2FA stops most automated credential stuffing tools.
Easy ยท stops most attacks even with correct passwordMost major services send an email when your account is logged in from a new device or location. If you receive one of these and you did not log in, change your password immediately and check whether the attacker changed any account recovery information. Act within minutes, not hours attackers move fast once a hit is confirmed.
Easy ยท catches attacks in progressEvery time your email appears in a new breach, that data goes into fresh combo lists within weeks. Real-time monitoring gives you a window to rotate passwords before attackers run those lists. Without monitoring, you only find out after an account is already taken over.
Medium ยท ongoing ยท worth setting up onceA passkey. Passkeys are tied to your device and to the specific website they were created for. An attacker cannot take a passkey from a breach dump and use it somewhere else because it is not a password it is a cryptographic key that only works with your device. If every important account uses a passkey, credential stuffing is irrelevant.
Sources
- Akamai State of the Internet Report 2024 โ credential stuffing volume and success rate statistics
- SpyCloud Annual Credential Exposure Report 2025 โ combo list circulation and reuse rates
- Javelin Strategy and Research Identity Fraud Report 2025 โ financial fraud conversion from credential stuffing
- OWASP Credential Stuffing Prevention Cheat Sheet โ attack methodology and tooling overview
- IBM Cost of a Data Breach Report 2024 โ account takeover as primary breach entry point