What is credential stuffing?

Credential stuffing is a cyberattack that uses stolen login credentials from one breach to gain access to accounts on other services.

What is credential stuffing?

Credential stuffing is a type of cyberattack where stolen account credentials — typically lists of usernames and/or email addresses with corresponding passwords — are used to gain unauthorized access to user accounts through large-scale automated login requests.

How does credential stuffing work?

Attackers obtain leaked credential databases from data breaches. Since many people reuse passwords across services, attackers use bots to automatically try these credentials against many websites simultaneously.

How to prevent credential stuffing

Defenses include enforcing multi-factor authentication, monitoring for unusual login patterns, implementing bot detection, using breached-password screening, and encouraging users to use unique passwords for each service.