Credential stuffing: how one leaked password becomes account takeover
Credential stuffing is the engine that turns yesterday’s breach into today’s account takeover. It’s cheap, automated, and it works precisely because people reuse passwords.
What credential stuffing is
Credential stuffing is an attack in which stolen username-and-password pairs from one breach are automatically tried against many other services. It is not password guessing (that’s brute forcing) — it’s password reuse being exploited at scale.
How the chain works
- A service is breached and its credentials are leaked or sold.
- Attackers aggregate this and older leaks into massive "combolists" of email/password pairs.
- Automated tools replay those pairs against other sites — email, banking, retail, corporate logins — often routed through many IPs to evade detection.
- Wherever someone reused the password, the login succeeds: that’s account takeover.
- The hijacked account is used for fraud, data theft, or as a foothold into an organisation.
How to break the chain
- Unique passwords — a password manager makes every login different, so one leak can’t cascade.
- Multi-factor authentication — a leaked password alone can’t log in; MFA is the single strongest defence.
- Breach monitoring — get alerted when your credentials appear in a leak, and rotate them before they’re stuffed.
- Passkeys — phishing-resistant, non-reusable credentials remove the leaked-password problem entirely.
For organisations
Defenders counter credential stuffing with MFA enforcement, rate limiting and bot detection, and by proactively monitoring for their employees’ credentials in breach data — forcing a reset before the attacker’s automation gets a hit.
FAQ
Related questions
What’s the difference between credential stuffing and brute forcing?
Brute forcing guesses passwords by trying many combinations. Credential stuffing doesn’t guess — it replays real, previously leaked passwords, betting that people reused them elsewhere.
Does MFA stop credential stuffing?
In most cases, yes. Because the attacker only has a password, a second factor blocks the login. The main exception is when a leaked session token or a real-time phishing kit bypasses MFA.
How can I tell if my accounts are being targeted?
Watch for unexpected login alerts, MFA prompts you didn’t trigger, or password-reset emails you didn’t request. These often signal that someone is replaying a leaked password against your account.
Keep reading
More guides
-
What is a data breach? Types, causes and consequences
A data breach is any unauthorised access to data. Here’s how they happen, what gets exposed, and why leaked credentials cause the most damage.
Read guide -
What to do after a data breach: a step-by-step response
Found out you’re in a breach? Here’s the order to act in — from the leaked password to monitoring for what comes next.
Read guide