Anatomy of a Credential-Stuffing Wave (and How to Survive One)
Reused passwords from old breaches get replayed against your login by the millions. Here's how these attacks actually work and the controls that stop them.
Every few weeks a familiar pattern lights up the dashboards of anyone running a login page: a sudden spike in failed authentications, spread across thousands of IP addresses, each trying a different username with a password that’s often correct somewhere else. That’s credential stuffing — and it’s one of the most common ways accounts get taken over, precisely because it requires almost no skill.
How the attack works
The pipeline is depressingly simple:
- Acquire combos. Attackers buy or download “combo lists” —
email:passwordpairs leaked from prior breaches. Billions are in circulation. - Distribute the requests. Tooling like OpenBullet replays those pairs against a target’s login endpoint, rotating through residential proxies so no single IP looks abusive.
- Harvest the hits. Because people reuse passwords, a small percentage work. At scale, even a 0.1% success rate against a 10-million-entry list is 10,000 compromised accounts.
- Monetize. Valid accounts get drained, resold, or used for fraud.
The uncomfortable truth: this attack doesn’t exploit a bug in your system. It exploits your users reusing a password that leaked from someone else’s.
Signals you’re being stuffed
- A spike in login volume with an abnormally high failure rate.
- Failures spread thin across many usernames, not concentrated (that’s brute-forcing one account, a different problem).
- Traffic from datacenter or residential proxy ranges, often with rotating but slightly-too-uniform user agents.
- A trailing rise in support tickets about “I didn’t do that” transactions.
The controls that actually stop it
| Control | Why it works |
|---|---|
| MFA / passkeys | A correct password alone is no longer enough. This is the single highest-impact control. |
| Breached-password screening | Reject passwords known to appear in breach corpora (e.g. the Pwned Passwords k-anonymity API) at signup and reset. |
| Rate limiting + device fingerprinting | Throttle by IP and by behavioral signal; proxies defeat naive IP limits. |
| Bot management / proof-of-work | Raise the cost per attempt so a million tries stops being free. |
| Anomaly-based step-up auth | New device + new geo + sensitive action → challenge, even with a valid password. |
What to do this week
If you operate a login page: turn on MFA for everyone you can, add breached-password screening at signup, and alert on failure-rate spikes. If you’re a user: a unique password per site (via a password manager) makes the entire attack class irrelevant to you — there’s no reused credential to stuff. We walk through exactly how to set that up in the Guides section.
This is starter content shipped with the site — replace it with your own coverage.
Newsletter
Liked this? Get the weekly digest.
One email a week. The breaches that matter, the fixes that work, and the deep dives worth your time. No trackers, no spam, unsubscribe anytime.
⚙ Newsletter not yet wired. Set PUBLIC_LISTMONK_URL and
PUBLIC_LISTMONK_LIST_UUID in your environment, then this
form goes live. See SETUP.md.