What is credential stuffing in simple terms?

Credential stuffing is when an attacker takes a list of username and password combinations stolen from one website and automatically tries them on other websites. It works because many people use the same password on multiple sites. If your password was part of a data breach anywhere, attackers will try that exact password on your bank, your email, and every other account linked to the same email address.

What should my application do if a user's password is found in a breach?

At minimum, reject the password at registration and prompt the user to choose a different one. At login, if the submitted password matches a known breached password, you should still authenticate the user (to avoid denial of service), but immediately prompt them to change their password and log the event. OWASP recommends using the HaveIBeenPwned k-anonymity API to check passwords without sending the raw password to any external server.

Does multi-factor authentication stop credential stuffing?

Yes, MFA effectively stops credential stuffing. Even if an attacker has the correct username and password, they cannot complete the login without the second factor such as a one-time code from an authenticator app or a hardware key. MFA is the single most effective defence against credential stuffing and should be offered to all users, and required for any account with elevated privileges or sensitive data.

How many credential stuffing attacks happen each day?

The scale is difficult to measure precisely, but security researchers and CDN providers report hundreds of millions to billions of credential stuffing attempts per day across the internet. Akamai has reported that credential stuffing accounts for the majority of all login traffic on many large platforms. The attack is common because the tools are freely available, breach databases are enormous, and most applications have minimal defences in place.

June 19, 2026 · 10 min read · By RestingOwl Security Desk

What Is Credential Stuffing?How It Works and How to Stop It

Q: How is credential stuffing different from a brute force attack?

Brute force attacks try to guess a password by trying every possible combination of characters until one works. Credential stuffing does not guess at all. It uses real passwords that were already stolen from a previous breach. Credential stuffing is generally faster and more successful because the credentials it uses are real, not random guesses.

Credential StuffingAuthenticationOWASPSecurityNode.jsPassword Security

Quick Answer: Credential stuffing is an automated attack that takes username and password pairs from data breaches and tries them against other websites. It works because people reuse passwords across multiple accounts. Unlike brute force attacks, it does not guess passwords. It uses real credentials that have already been stolen.

What Is Credential Stuffing?

Credential stuffing is one of the most common and damaging attacks on authentication systems today. Attackers collect usernames and passwords from data breaches, which are sold and traded openly on the dark web. They then write scripts to try these credential pairs against banks, e-commerce sites, email providers, and any other service that has a login form.

The numbers make this attack effective at scale. A typical breach might expose tens of millions of credential pairs. Even if only 0.5% of users reuse the same password on another site, an attacker with 50 million credential pairs gains access to 250,000 accounts. Automated tools can attempt thousands of logins per second, so these attacks can run against an entire application in minutes.

How Is Credential Stuffing Different From a Brute Force Attack?

These two attacks are often confused, but they work in completely different ways. Understanding the difference helps you choose the right defences for each one.

Attack	What It Tries	Source of Credentials	Speed	Success Rate
Credential Stuffing	Real leaked username and password pairs	Data breaches and dark web databases	Thousands of attempts per second	0.1% to 2% of attempts succeed
Brute Force	Every possible password combination	No prior data needed	Slower due to the number of combinations	Very low unless password is short or common
Dictionary Attack	A list of common words and patterns	Wordlists and common password databases	Fast	Higher against weak passwords

How Does a Credential Stuffing Attack Work?

A credential stuffing attack follows a clear sequence of steps. Each step is mostly automated, which is why it can run against thousands of accounts in a short time.

Obtain a breach database. The attacker downloads a list of username and password pairs from a data breach. These lists are freely available on dark web forums or sold for low prices.
Parse and deduplicate the list. Automated tools clean the data, remove duplicates, and format it for use in the attack tool.
Configure the attack tool. Tools like Sentry MBA, OpenBullet, or custom scripts accept the credential list and a configuration file for the target site's login endpoint.
Run the attack at scale. The tool sends thousands of login requests per second, often using residential proxy networks to bypass IP-based rate limiting and appear as legitimate traffic.
Collect valid credentials. The tool logs which credential pairs succeeded. The attacker then uses these accounts manually or sells them to other criminals.

Why Do Credential Stuffing Attacks Succeed?

Three conditions make credential stuffing consistently effective. Fixing any one of them significantly reduces your risk.

Password reuse is widespread. Studies consistently show that between 50% and 65% of users reuse passwords across multiple accounts. This means a breach on one site gives attackers access to other sites.
Breach databases are enormous and freely available. Over 15 billion credential pairs are known to exist in circulation from historical breaches. New breaches add millions more every month.
Most applications have no velocity checks. Without rate limiting, lockout, or bot detection, an application treats 10,000 login attempts from 10,000 different IP addresses as normal traffic.
Residential proxy networks defeat IP blocking. Attackers route login attempts through millions of residential IP addresses, so blocking a single IP has no effect.
Multi-factor authentication adoption is low. MFA stops credential stuffing entirely, but most applications do not require it, and many users do not enable it voluntarily.

How Can You Detect Credential Stuffing?

Credential stuffing traffic often looks like legitimate user behaviour from the outside. But there are patterns you can monitor to detect it early.

A spike in failed login attempts across many different accounts and IP addresses at the same time
A higher than normal ratio of failed logins to successful logins
Login attempts arriving at a consistent rate rather than in the irregular bursts normal users produce
Login attempts against accounts that have not been active in months or years
Successful logins from IP addresses or geographies that do not match a user's history
A surge in password reset requests shortly after a login spike

How to Stop Credential Stuffing: OWASP Checklist

Credential Stuffing Prevention Checklist

1Check passwords against the HaveIBeenPwned Pwned Passwords API at registration and login. Reject any password found in a known breach.
2Rate limit your authentication endpoint. Limit login attempts per IP address, per account, and globally across the application.
3Implement account lockout or progressive delays after a configurable number of failed attempts.
4Deploy bot detection or CAPTCHA on your login form, especially after repeated failures.
5Require multi-factor authentication for sensitive accounts or as an optional setting for all users.
6Log all failed login attempts with timestamps, IP addresses, and user agents. Alert on unusual spikes.
7Monitor for logins from new devices or unusual locations and trigger a step-up authentication challenge.
8Notify users of login attempts from new locations or devices so they can take action if the login was not from them.

What Does OWASP Say About Credential Stuffing?

OWASP addresses credential stuffing directly in the Authentication Cheat Sheet and in the ASVS 5.0 controls. OWASP recommends verifying passwords against breach databases at login using the HaveIBeenPwned k-anonymity API, implementing rate limiting and lockout at the application level, and requiring MFA for high-risk accounts. OWASP also recommends logging all authentication events, including failures, and monitoring those logs for signs of automated attack traffic.

The ASVS 5.0 V2 Authentication requirements include specific controls for breach notification (V2.1.7), rate limiting (V2.2.1), and lockout policy (V2.2.2). Meeting these controls significantly reduces exposure to credential stuffing as well as brute force attacks.

Related reading: Learn how to implement breached password detection in Node.js with our guide to the HaveIBeenPwned API and k-anonymity. Or remove passwords from your application entirely with magic link authentication.