Credential Stuffing: How Leaked Passwords Work

In January 2024, a security team at a mid-size SaaS company noticed something odd. Over a single weekend, their authentication logs showed 340,000 failed login attempts across employee and customer-facing portals. The attempts came from thousands of IP addresses, rotating every few requests. Buried in the noise: 47 successful logins.

None of those 47 accounts had been brute-forced. The attackers already had the correct passwords. They had purchased a batch of stolen credentials from a 2023 breach of an unrelated service, and 47 employees had used the same email and password combination for both.

This is credential stuffing. Not a sophisticated exploit. Not a zero-day. Just a bet that people reuse passwords, and that bet pays off roughly 0.1% to 2% of the time. At scale, that is enough.

Credential stuffing is an automated attack where stolen username-password pairs from one data breach are tested against login pages of other services. The attacker does not guess passwords. They already have real ones. They just need to find where else those credentials work.

The mechanics are straightforward. Breached credential lists containing millions of email/password combinations are sold and traded on dark web marketplaces, sometimes for less than $10 per million records. Attackers load these lists into automated tools that attempt logins across hundreds of websites simultaneously. The tools rotate through proxy servers to avoid IP-based blocking, throttle requests to stay under rate-limit thresholds, and solve CAPTCHAs using machine learning services.

The attack succeeds because of one predictable human behavior: password reuse. A 2024 study by Bitwarden found that 65% of people admit to reusing passwords across multiple accounts. The actual number is likely higher, since people tend to underreport habits they know are risky.

Have I Been Pwned, the breach notification service run by Troy Hunt, has indexed over 13 billion compromised accounts as of early 2026. New breaches add millions of records every month. Each one feeds fresh ammunition into credential stuffing operations.

The breaches do not need to be recent. A LinkedIn breach from 2012 still produces valid credentials because people keep the same passwords for years. An employee who created a LinkedIn account in college and never changed the password may still use that same password for their corporate email today.

A single attacker with commodity tools can test millions of credential pairs per day. Open-source frameworks like Sentry MBA and its successors abstract away the technical complexity. You configure a target site, load a credential list, point the tool at a pool of rotating proxies, and let it run. The cost of running these attacks is measured in dollars, not thousands.

Credential stuffing does not look like a brute-force attack. Each individual login attempt uses a valid-looking username and a real password. The attempts come from different IP addresses. They are spaced out to mimic normal traffic patterns. From the defender’s perspective, distinguishing a credential stuffing attempt from a legitimate user mistyping their password requires behavioral analysis, not simple rule matching.

When credential stuffing succeeds, the attacker gains access to a legitimate account with real permissions. What happens next depends on what that account can reach.

Corporate email takeover. A compromised email account gives attackers access to internal communications, contact lists, calendar data, and attachments containing sensitive information. It also becomes a launching pad for business email compromise attacks, where the attacker sends convincing requests to colleagues from the compromised address.

Customer data exposure. If the compromised account has access to customer records, PII, financial data, or health information, the credential stuffing incident becomes a data breach with regulatory notification requirements.

Lateral movement. Attackers use the initial foothold to explore internal systems, escalate privileges, and access higher-value targets. A compromised employee account is often the first step in a ransomware incident or a sustained data exfiltration campaign.

Financial fraud. In e-commerce and financial services, credential stuffing leads directly to unauthorized purchases, account balance theft, and loyalty point fraud.

The 2024 Verizon Data Breach Investigations Report found that stolen credentials were the initial attack vector in 31% of all breaches. More than any other technique.

Before you can fix the problem, you need to know the scope. Here are practical steps every employee should take.

Visit haveibeenpwned.com and search for your work and personal email addresses. The site indexes over 13 billion accounts from 700+ breaches and will tell you which ones included your credentials.

If your email appears in a breach, assume the password you used on that service is now public. If you used that same password anywhere else, those accounts are vulnerable right now.

Most enterprise password managers include a security dashboard that cross-references your stored credentials against known breaches. It also flags reused passwords and weak entries. Run this audit. Address every flagged item, starting with work accounts.

Services like Have I Been Pwned offer notification subscriptions. Your organization’s security team may also run credential monitoring that alerts when employee credentials appear in new breach dumps. Make sure you are enrolled in whatever monitoring your company provides.

Knowing the problem exists is step one. Changing behavior is where most programs stall. Here is what actually works.

This is the single most effective defense against credential stuffing. A password manager generates a unique, random password for every account and remembers it for you. You do not need to memorize anything except the master password for the vault itself.

The practical friction points are real. Some sites do not play well with autofill. Shared team accounts create workarounds. But these are solvable problems, and solving them eliminates the core vulnerability that credential stuffing exploits.

Password managers also function as a phishing detection tool. Because autofill is domain-aware, the manager will not offer credentials on a spoofed login page. That absence of a password suggestion is your signal that the site is fake. Our password manager habits exercise covers this in detail.

If a password exists in two places, credential stuffing can bridge them. The goal is zero reuse. Not “mostly unique” or “unique for important accounts.” Zero.

This sounds unreasonable until you accept that password managers handle it for you. Generate a 20-character random string for each account. You will never type it manually, so it does not matter if it is memorable.

MFA does not prevent credential stuffing attempts, but it stops them from succeeding. Even when an attacker has the correct password, they cannot complete the login without the second factor.

Not all MFA is equally strong. SMS codes can be intercepted via SIM swapping. Authenticator apps are better. Hardware security keys are the strongest option, and the only one that is fully phishing-resistant.

Our MFA setup exercise walks through the tradeoffs and helps employees configure the strongest option their accounts support.

When a service notifies you of a breach, change the affected password immediately. Then check whether you used it anywhere else. This is the step most people skip, and it is the one that matters most for credential stuffing prevention.

Understanding the detection and response perspective helps employees appreciate why their individual habits matter at an organizational level.

Security teams monitor for patterns that distinguish credential stuffing from normal authentication traffic.

Geographic impossibility. An employee’s account logs in from New York at 9 AM and from Moscow at 9:05 AM. No human can travel that fast. This is a strong indicator of compromised credentials being tested remotely.

Burst failure rates. A sudden spike in failed login attempts across multiple accounts, followed by a small number of successes, is the classic credential stuffing signature.

User-agent rotation. Automated tools cycle through browser identifiers to appear as different devices. The rapid rotation is detectable with behavioral analysis.

Off-hours activity. Login attempts at 3 AM on accounts that normally authenticate during business hours.

Organizations layer multiple defenses to slow down credential stuffing.

Rate limiting caps the number of login attempts from a single IP or for a single account within a time window. Attackers counter this with distributed IP pools, which is why rate limiting alone is not sufficient.

CAPTCHA challenges force proof-of-humanity during login. Machine learning CAPTCHA-solving services have reduced their effectiveness, but they still increase the cost and complexity of attacks.

Credential screening compares new and existing passwords against known breach databases. If an employee sets a password that has appeared in a previous breach, the system rejects it. Microsoft’s data shows that blocking known-breached passwords prevents over 99% of password spray and credential stuffing attacks against Azure AD tenants that enable the feature.

Device fingerprinting builds a profile of each user’s normal login behavior, including device type, browser, location, and time patterns. Logins that deviate significantly trigger additional verification.

A less obvious risk: if an attacker gains access to an account, they may also be able to change recovery settings. They add their own phone number for password resets, register a new MFA device, or modify the recovery email address. Even after the victim changes their password, the attacker retains a way back in.

This is why account recovery security matters. Check your recovery settings proactively, not just after an incident. Verify that recovery phone numbers and email addresses are current and belong to you. Remove any you do not recognize.

Here is where credential stuffing gets uncomfortable for organizations. The breach that exposes an employee’s password often happened on a personal service: a streaming platform, a gaming site, a food delivery app. The employer had no control over that service’s security practices. But the moment an employee reuses their corporate password on that personal account, the organization inherits the risk.

This is not a hypothetical. The 2020 Zoom credential stuffing attack, where over 500,000 accounts were sold on dark web forums, was fueled almost entirely by passwords reused from other breaches. None of those passwords were stolen from Zoom itself.

Corporate security policies that focus only on corporate systems miss this reality. Effective programs acknowledge that employees have personal accounts, that password reuse bridges the two worlds, and that the solution (password managers, unique passwords, MFA) protects both simultaneously. Shadow IT compounds this problem: every unauthorized SaaS tool an employee signs up for with their corporate email is another account where password reuse creates exposure.

Awareness alone does not stop credential stuffing. People have known for years that password reuse is dangerous. They keep doing it because the alternative (remembering unique passwords for 100+ accounts) seems impossible.

Training needs to close the gap between knowing and doing.

Make it concrete. Show employees what a breached credential list actually looks like. Let them search for their own emails in breach databases. Abstract warnings about “password hygiene” do not motivate behavior change. Seeing your own email next to a plaintext password does.

Provide the tools. Telling employees to use unique passwords without providing a password manager is like telling them to lock the door without giving them a key. Deploy an enterprise password manager, build time into onboarding for setup, and provide ongoing support.

Simulate the attack. Our credential stuffing awareness exercise puts employees in the middle of a live credential stuffing incident. They analyze authentication logs, trace the attack pattern, identify compromised accounts, and take containment steps. When you see how the attack works from the inside, the motivation to fix your own password habits becomes personal.

Repeat without being annoying. One training session does not create lasting behavior change. Periodic reinforcement through simulated attacks, breach notification walkthroughs, and password audit reminders keeps the topic present without inducing fatigue.

See credential stuffing from the attacker’s perspective. Try our free credential stuffing awareness exercise and practice identifying compromised accounts in live authentication logs. For broader coverage, explore our security awareness training catalogue with exercises on password management, MFA configuration, and account recovery security.