What Is Credential Stuffing and How Do You Stop It?
Credential stuffing is one of the most widespread forms of account takeover and it requires almost no skill to execute. If you reuse passwords across sites — and most people do — here is exactly how attackers exploit that and what stops it completely.
What credential stuffing is
Credential stuffing is an automated attack in which an attacker takes a large list of username-and-password combinations (typically obtained from a data breach) and systematically tries those combinations on other services. The goal is to find accounts where the same email address and password combination works — because the owner reused their credentials.
The attack is called "stuffing" because the attacker is not guessing or cracking anything. They are simply feeding known, working credentials into as many sites as possible and seeing which ones accept them. If your login for a breached forum uses the same password as your email or banking account, those are now at risk — not because of anything you did wrong on those services, but because of what happened somewhere else entirely.
Why it works so well
Password reuse is extraordinarily common. Surveys consistently find that over 50% of people use the same password for multiple accounts, and a meaningful proportion use the same credential across many accounts. Combine this with the scale of modern data breaches — billions of credentials are now in circulation from years of breaches — and attackers have a large, reliable supply of material to work with.
The attack is also cheap to execute. Purpose-built tools automate the process, rotating through thousands of credentials per second across multiple target services, using proxy networks to avoid rate limiting. An attacker with basic technical knowledge and access to breach databases can run a credential stuffing campaign with minimal effort.
How to recognise it on your accounts
Credential stuffing is often silent — you may not know an account has been accessed until the attacker does something visible (makes a purchase, changes recovery details, uses the account to scam your contacts). Signs to watch for:
- Login notifications from locations or devices you do not recognise
- Emails about password reset requests you did not initiate
- Unexpected purchases or transactions on accounts with payment details saved
- Contacts telling you they received unusual messages from your account
- Recovery email or phone number changed without your knowledge
If you see any of these, change the password immediately, check for changes to account recovery settings and enable two-factor authentication if it is not already active.
The one thing that stops it completely
Credential stuffing relies entirely on password reuse. If every account has a unique password, a breach at one service reveals nothing useful for any other service. The attack becomes impossible — not harder, not less likely, but technically impossible. An attacker who has your breached forum credentials tries them against Gmail, finds they fail and moves on. Your Gmail account is never at risk regardless of the strength or weakness of the breached password.
This is the single most important reason to use unique passwords everywhere, even for accounts you consider low-value. A breached newsletter subscription or minor e-commerce account becomes a credential stuffing vector if it shares a password with something that matters.
What businesses can do about it
Credential stuffing is also a major problem for companies, not just individuals. Businesses protect against it through rate limiting (restricting how many login attempts are allowed from a given IP address), device fingerprinting (detecting unusual login patterns), bot detection (CAPTCHA and behavioural analysis) and monitoring login traffic for volumetric spikes that indicate automated attacks.
Several large-scale attacks in recent years have used distributed infrastructure across thousands of IP addresses specifically to bypass rate limiting — meaning even well-protected services face ongoing challenges. This is another argument for individual users not relying on services to protect them, but taking control of their own credential hygiene.
The full defence
Unique passwords per account is the foundation. Two-factor authentication is the second layer — even if an attacker does have a working credential, they cannot complete the login without the second factor. Together, these two measures eliminate credential stuffing as a practical risk for your personal accounts.
Neither requires significant ongoing effort once set up. A password manager handles the unique passwords automatically. An authenticator app generates 2FA codes in seconds. The setup time is a few hours; the protection is permanent.
Generate unique passwords for every account
Unique passwords are the only thing that stops credential stuffing. Generate a different strong password for each account — or use the bulk generator to create a set at once.
Password GeneratorThis article is for general informational purposes. If you believe you are a victim of account takeover, change your credentials immediately and contact the relevant service providers.