TL;DR
Credential stuffing uses username/password pairs leaked from other breaches to log into your service. It exploits password reuse: if someone used the same password on a breached site and yours, attackers get in. Defend with MFA, breach password checking, rate limiting, and bot detection. Even if your security is perfect, your users' password habits create risk.
The Simple Explanation
A website gets hacked and millions of usernames and passwords leak. Attackers take those credentials and try them on other sites: banks, email, social media. Since many people use the same password everywhere, a significant percentage work. Your site was never hacked, but accounts are still compromised.
How It Works
- Attacker obtains leaked credentials (millions available from past breaches)
- Automated tool tries each credential on target site (your app)
- Some percentage work due to password reuse (typically 0.1-2%)
- Attacker now controls those accounts
- Accounts sold or exploited directly
The Scale of the Problem
| Statistic | Value |
|---|---|
| Leaked credentials available | Billions |
| Password reuse rate | 60%+ |
| Typical success rate | 0.1-2% |
| Attempts per day (major sites) | Millions |
Defense Strategies
- MFA: Password alone is not enough to log in
- Breach checking: Reject known-compromised passwords
- Rate limiting: Slow down automated attempts
- Bot detection: Identify automated traffic
- CAPTCHA: Challenge suspicious logins
- Device fingerprinting: Detect new devices
- Anomaly detection: Flag unusual login patterns
You cannot control user behavior. Even with perfect security, users bring compromised passwords from other sites. Breach checking and MFA protect users from themselves.
Breach Password Checking
Services like HaveIBeenPwned let you check if passwords appear in known breaches. Implement this at registration and password change. You can use k-anonymity APIs that protect the password being checked.
How is credential stuffing different from brute force?
Brute force guesses passwords randomly or systematically. Credential stuffing uses real username/password pairs from other breaches. Since people reuse passwords, these known-good credentials often work on multiple sites. Credential stuffing is more targeted and efficient.
Why is credential stuffing so effective?
Because people reuse passwords across sites. When one service is breached, attackers try those credentials everywhere else. Studies show over 60% of people reuse passwords. With billions of leaked credentials available, attackers have plenty of ammunition.
How do I protect my application from credential stuffing?
Require MFA so stolen passwords are not enough. Check passwords against known breach databases (like HaveIBeenPwned). Implement rate limiting and bot detection. Use CAPTCHA for suspicious login patterns. Monitor for logins from unusual locations or devices.