Cyber Threats #credential stuffing#account takeover#password security

Credential Stuffing: How Breached Passwords Fuel Account Takeovers

Understand credential stuffing attacks that use breached username/password pairs to compromise accounts. Learn detection and defense strategies.

6 min read

Credential stuffing is the automated use of username/password pairs obtained from data breaches to break into other accounts. Because most people reuse passwords, a single breach enables attackers to compromise accounts across dozens of unrelated services. It’s responsible for billions of account takeovers annually.

Why Credential Stuffing Works

When a service is breached, attackers obtain databases containing usernames (usually emails) and passwords (often hashed). Once cracked, these credentials are sold on dark web markets and compiled into “combolists” — massive files with millions of email:password pairs.

People reuse passwords: research consistently shows 50–65% of users reuse the same password across multiple services. A credential from a 2019 gaming site breach often still works on banking, email, and social media sites in 2026.

The math: if attackers have 10 million credential pairs and 60% of users reuse passwords, they have access attempts that will succeed against 6 million accounts across various services — without any technical hacking.

How Attacks Are Executed

Tooling

Attackers use specialized credential stuffing tools that:

  • Manage proxy rotation (avoid IP blocks)
  • Handle CAPTCHAs (via human CAPTCHA farms or ML solvers)
  • Parse target sites’ authentication flows
  • Manage rate limiting across thousands of IPs

Common tools (used by attackers): OpenBullet (open-source, often trojanized), Snipr, SENTRY MBA, Woxy.

Commercial anti-bot vendors spend significant resources detecting and blocking these tools.

Attack Flow

1. Acquire combolist (bought on dark web, $10-500 for millions of credentials)
2. Purchase/rent residential proxy network (real home IP addresses, harder to block)
3. Configure tool with target site's authentication endpoint
4. Launch attack at low request rate per IP (mimics human behavior)
5. Collect successful logins
6. Monetize: sell working accounts, drain payment methods, send spam

Residential proxies are a critical enabler — cloud IP blocks are easily blocked, but home IPs from ISPs like Comcast and AT&T appear to be regular users.

Attack Volume

At scale: 100,000 login attempts per hour distributed across 50,000 IPs is 2 attempts per IP per hour — invisible to naive rate limiting. Success rate of 0.5–2% means 500–2,000 compromised accounts per hour.

Target Industries

Financial services: highest value — direct access to money
E-commerce: stored payment methods, gift cards, order history
Gaming: valuable in-game items, currencies, high-level accounts
Streaming (Netflix, Disney+, Spotify): sold on credential-sharing markets
Airlines/Hotels: frequent flyer miles, loyalty points
Healthcare: medical records, insurance information, prescription access

Detection for Website Operators

Velocity and Pattern Anomalies

Signs of a credential stuffing attack:

  • Login failure rate spikes above baseline (e.g., from 2% to 15%)
  • High volume of logins from unfamiliar IP ranges
  • Failed logins followed by immediate success (correct password found via stuffing)
  • Multiple accounts accessed from the same device fingerprint
  • Login attempts at non-human speed

Device Fingerprinting

Track: User-Agent, screen resolution, timezone, language settings, installed fonts. Credential stuffing tools typically use generic or rotating fingerprints that don’t match real user patterns.

Password Breach Detection

Check submitted passwords against known breached password databases at login time:

HaveIBeenPwned API (free for website operators):

import hashlib
import requests

def check_pwned_password(password: str) -> bool:
    sha1 = hashlib.sha1(password.encode()).hexdigest().upper()
    prefix, suffix = sha1[:5], sha1[5:]
    
    response = requests.get(f'https://api.pwnedpasswords.com/range/{prefix}')
    hashes = dict(line.split(':') for line in response.text.splitlines())
    
    count = int(hashes.get(suffix, 0))
    return count > 0  # True = password found in breaches

# At login or password change
if check_pwned_password(submitted_password):
    # Force password reset or warn user
    pass

This uses k-anonymity — only the first 5 hex characters of the SHA-1 hash are sent to the API.

CAPTCHA and Bot Detection

  • Cloudflare Turnstile (free, non-intrusive): challenges suspicious requests invisibly
  • Google reCAPTCHA v3: risk score-based, invisible to most users
  • hCaptcha: privacy-respecting alternative
  • Arkose Labs FunCaptcha: interactive challenges that defeat automation

Multi-Factor Authentication

MFA is the most effective credential stuffing mitigation — even correct credentials don’t grant access without the second factor.

Require MFA for:

  • New device login
  • Login from unusual geography
  • High-value actions (password change, payment modification)

Defense for Users

Password Manager + Unique Passwords

The root cause is password reuse. Use a password manager to generate and store unique, random passwords for every service.

If your password for Site A is different from every other site, a breach of Site A exposes only Site A — no credential stuffing possible.

Recommended: Bitwarden (free, open-source), 1Password, KeePassXC.

Check HaveIBeenPwned

Go to haveibeenpwned.com and enter your email. It shows every known breach that contains your email address. If your email appears in a breach:

  1. Change the password for that service immediately
  2. Check if you used the same password anywhere else — change those too
  3. Enable email notifications for future breaches

Enable Alerts

Most banks and many services offer login alerts (email or SMS). Enable them — you’ll know within seconds if someone logs in from an unfamiliar location.

Use Passkeys Where Available

Passkeys (FIDO2) are immune to credential stuffing — there’s no username/password to steal. They use cryptographic key pairs where the private key never leaves your device. Google, Apple, Microsoft, PayPal, and many others now support passkeys.

Credential stuffing exists because of password reuse, and it will persist as long as users reuse passwords. Unique passwords via a password manager + MFA eliminates essentially all risk from credential stuffing for individual accounts.

#breaches #password security #account takeover #credential stuffing