← All terms
Credential Stuffing

What is Credential Stuffing?

Credential stuffing is an attack that replays username-password pairs leaked from one breach against many other sites, exploiting password reuse at scale.

Last updated: 15 July 2026

How credential stuffing works

Credential stuffing starts with data that already exists: billions of username and password pairs exposed in past breaches circulate freely between attackers. Because a large share of people reuse the same password across services, an attacker can take a list stolen from one site and replay those exact pairs against the login page of another, entirely unrelated service.

The replay is automated and distributed. Bots rotate through proxy networks so each login attempt arrives from a different address, mimic real browsers, and pace their attempts to stay under simple rate limits. The attacker does not guess passwords at all; every attempt uses a combination already known to be valid somewhere, which is why success rates, though small in percentage terms, translate into thousands of compromised accounts on a large user base.

Why it matters

Credential stuffing is one of the highest-volume attacks on the internet because it is cheap, requires no vulnerability in the target and scales with every new breach that leaks passwords. For businesses, the direct costs include account takeover fraud, stolen loyalty balances and support load; the indirect costs include locked-out customers and infrastructure strain from bot traffic that can dwarf legitimate logins.

For workforce identity, the stakes are higher still. An employee who reused their corporate password on a breached consumer site hands attackers a working path into email, VPN or SaaS applications. Many publicized corporate intrusions began with a single valid credential obtained this way rather than with any technical exploit.

How to defend against credential stuffing

The single most effective control is multi-factor authentication: a replayed password fails when a second factor is required, and phishing-resistant methods such as passkeys remove the shared secret entirely. Screening new and existing passwords against known-breached lists stops users from choosing credentials that are already circulating.

On the detection side, credential stuffing has a recognizable shape: elevated login failure rates, many usernames tried from rotating addresses, and logins from automation-like clients. Risk-based controls that step up authentication or block traffic when these signals appear blunt the attack without adding friction for normal users; Monosign applies this pattern with adaptive authentication and anomaly signals layered on MFA, including FIDO2 passkeys.

Frequently asked questions

How is credential stuffing different from brute force?
Brute force guesses passwords by trying many combinations against an account. Credential stuffing does not guess: it replays real username-password pairs stolen from other services, betting on password reuse. That makes it far more efficient per attempt and harder to spot with simple failed-login thresholds on a single account.
Does MFA fully stop credential stuffing?
MFA stops the automated replay itself, because a valid password alone no longer grants access. Attackers may follow up with MFA fatigue prompts or phishing to capture the second factor, which is why phishing-resistant methods such as passkeys, combined with breached-password screening, provide the most durable protection.