What is credential stuffing?

Credential Stuffing — CIAM Glossary

Credential stuffing is an automated attack that tries large lists of username and password pairs stolen from other breaches against a login form, exploiting the fact that people reuse passwords.

Credential stuffing takes username and password pairs leaked from one service and replays them at scale against another, betting that some users reused the same password. Because the credentials are real, each successful match becomes an account takeover. Bots drive the volume, often routed through many addresses to avoid simple blocking.

It is one of the most common attacks against consumer logins precisely because password reuse is widespread and breach lists are cheap and plentiful. Defenses include bot detection and rate limiting, breached-password screening, and multi-factor authentication.

The structural fix is to remove the reusable secret entirely. Passkeys give each site a unique key pair with no shared password to stuff, which is why phishing-resistant authentication is the strongest answer for CIAM.

Sources

OWASP, Credential Stuffing: https://owasp.org/www-community/attacks/Credential_stuffing

Credential Stuffing

Sources

Related terms

Further reading

References