Credential stuffing is one of the most common forms of account takeover — and it works by exploiting something millions of people do every day: reusing passwords. Here's how it works, why it's so effective, and how to stop it.
Somewhere on the internet right now, an automated script is trying to log into your accounts. It's not guessing passwords randomly. It already has your password — or at least a password you used to use. It got that password from a data breach you probably forgot about, or one you never knew happened. It's trying that password, and variations of it, against your email, your bank, your streaming services, and your social media accounts. It's doing this at a rate of thousands of attempts per minute, across millions of accounts, simultaneously.
This is credential stuffing. It's not glamorous. It doesn't require sophisticated hacking skills. It works because of a behaviour so common that most people don't even recognise it as a risk: using the same password in more than one place.
Credential stuffing is the automated use of stolen username-and-password combinations to break into accounts. The name comes from the process: attackers take a list of stolen credentials and "stuff" them into login forms across the web, hoping that some percentage of those credentials will work because the user has the same password on multiple services.
The raw material for these attacks is the accumulated output of years of data breaches. When a website is breached and its user database is stolen, that database typically contains email addresses and passwords. If the passwords weren't properly protected — and many aren't, or weren't — attackers can recover the actual password values. Those passwords then end up compiled into what the criminal underground calls "combo lists" or "credential stuffing lists": structured files containing millions or billions of email address/password pairs.
The scale of these lists is genuinely staggering. The largest known compilation, a dataset researchers dubbed "RockYou2024," was posted to a criminal forum in 2024 and contained nearly 10 billion unique plaintext password records accumulated from thousands of separate breaches. Even older compilations are enormous: the "Collection #1" dataset that emerged in 2019 contained approximately 773 million unique email addresses and more than 21 million unique passwords.
With a combo list in hand, running a credential stuffing attack is almost trivially easy. Freely available tools allow anyone with modest technical ability to automate login attempts at scale, rotating through IP addresses to avoid detection, solving CAPTCHAs automatically using AI or low-wage human labour, and logging which credential combinations result in successful logins.
The pipeline from data breach to credential stuffing attack involves several steps, and a surprisingly active underground economy.
When a site is breached, the stolen data is often shared or sold on criminal forums and markets. High-profile breaches attract buyers who specialise in "cracking" hashed passwords — the process of recovering the original password from its stored, scrambled form. Once cracked, those credentials are either used directly by the people who obtained them, or compiled and resold as part of larger lists.
Some criminal operators specialise entirely in building and maintaining combo lists. They aggregate stolen data from multiple sources, deduplicate it, verify which credentials are still active (sometimes by testing them in bulk against target services), and sell the verified lists at a premium. A list of "fresh" working credentials for a specific service — say, active Netflix accounts — commands significantly more money than a raw dump of old breach data.
There are also so-called "cracking communities" where participants collectively attack hashed password databases, sharing resources and computing power to crack passwords that individual actors couldn't recover alone. The results are then shared back to the community, further enriching the pool of available credentials.
Credential stuffing attacks on streaming services have been extensively documented, partly because the affected accounts have clear resale value — streaming account credentials are routinely sold for a few dollars each on criminal markets, giving paying subscribers free access to services.
In 2020, credential stuffing was identified as the likely cause of a wave of Spotify account takeovers in which users found their account details changed, their listening history altered, and premium access revoked. Spotify confirmed it had invalidated affected credentials and prompted password resets for impacted users. The company emphasised, accurately, that Spotify itself had not been breached — the credentials came from elsewhere. But the distinction was cold comfort to users who suddenly couldn't access music they'd been paying for.
Netflix has been a persistent target for the same reasons. Studies of criminal forums have found millions of Netflix account credentials for sale at any given time, mostly obtained through credential stuffing of accounts whose owners reused passwords from other breached services. Netflix's response has included anomaly detection on logins and more aggressive prompting for users to enable multi-factor authentication.
Beyond streaming, credential stuffing attacks have affected:
Online retail. Canadian Tire, Dunkin' Donuts, Chick-fil-A, and numerous other retailers have disclosed incidents where customer loyalty accounts were accessed through credential stuffing, allowing attackers to drain accumulated points or gift card balances.
Financial accounts. Credential stuffing against banking and investment platforms is particularly dangerous. In 2022, the investment platform Robinhood acknowledged that attackers had accessed customer accounts through credential stuffing, resulting in unauthorised transactions.
Email accounts. Gmail, Outlook, and Yahoo accounts are among the highest-value targets, because email access often allows attackers to reset passwords for other accounts — turning one compromised credential into access to an entire digital life.
Gaming. PlayStation Network accounts, Xbox accounts, and game-specific accounts with in-game currency or valuable items are frequently targeted.
The fundamental vulnerability that credential stuffing exploits is password reuse — the practice of using the same password across multiple services. It's worth understanding exactly why this is so dangerous.
Imagine you created a Myspace account in 2008. You used the email address you still use today, and a password you've used dozens of times since. Myspace was breached in 2013, exposing 427 million account records. That breach eventually circulated through criminal markets. In 2018, a credential stuffing operator obtained a list containing your Myspace email and password.
They test it against your Gmail. It doesn't work — Google's login system detects the suspicious access pattern. They test it against your LinkedIn. It works, because you've used that same password since 2009 and never changed it after LinkedIn's 2012 breach. They log the working combination and move on. Someone buys that working LinkedIn credential for a few cents and uses it to scrape your professional contacts for phishing targets.
Meanwhile, they test it against your bank. You changed your banking password after a scare a few years ago, so it doesn't work. But they test it against a small retail site you joined in 2016 and forgot about. It works. That account has a saved credit card. Now there's a problem.
This chain of consequences — originating from a password you created for a social network that no longer meaningfully exists — is not hypothetical. It's how credential stuffing damages play out in practice, repeatedly, at scale.
The most practical first step for anyone concerned about credential stuffing is to check whether their email addresses and passwords have appeared in known breaches. The best free tool for this is HaveIBeenPwned (haveibeenpwned.com), created and maintained by Australian security researcher Troy Hunt.
HaveIBeenPwned (abbreviated HIBP) aggregates data from thousands of publicly known breaches and allows you to check whether your email address appears in any of them. The process is simple:
If your email appears in results, note which breaches are listed and what data types were exposed. A breach that exposed only email addresses is less immediately dangerous than one that exposed passwords. If passwords were exposed, you should assume that password is compromised and change it everywhere you've used it.
HIBP also has a passwords feature at haveibeenpwned.com/passwords where you can check whether a specific password has appeared in known breach data. The site uses a technique called k-anonymity to check this without transmitting your actual password to the server — only a partial hash is sent, protecting your privacy. If your password appears in the results, it's in criminal combo lists and should be considered compromised regardless of whether your specific account was breached.
You can also subscribe to breach notifications on HIBP, which will send you an email alert if your address appears in new breaches as they're added to the database.
Understanding credential stuffing is the first step. The following actions will materially reduce your risk.
This is the single most important change you can make. If every account has a different password, a credential stuffing attack using credentials from one breach cannot access your other accounts. The attack becomes locally contained.
The obvious objection is that remembering dozens of unique, strong passwords is impossible. It is, if you try to do it in your head. That's why password managers exist — they remember your passwords so you don't have to. You only need to remember one strong master password. We've reviewed the leading options in our guide to the best password managers.
When you create a new password using a password manager, use the generator rather than creating one yourself. A 20-character random password like m7#Kp2!wQsL9$vRn4@xZ is essentially impossible to crack through brute force and won't appear in any breach database. Human-chosen passwords, even ones that feel complex, tend to follow predictable patterns that make them more vulnerable.
Multi-factor authentication (MFA) — where logging in requires both your password and a second verification step, like a code from an authenticator app or a hardware key — stops credential stuffing cold. Even if an attacker has your exact username and password, they can't complete login without the second factor.
MFA won't prevent every attack, but it raises the cost dramatically. Credential stuffing relies on automation: thousands of login attempts per minute. When MFA is required, automated stuffing becomes much harder and more expensive for attackers.
Prioritise MFA on your most important accounts: email, banking, and any account with payment information saved.
Do this now, then set up breach notifications. Knowing that your credentials have appeared in a specific breach lets you take targeted action — changing passwords on the affected service and anywhere you might have reused that password.
Learn what account takeover looks like. Signs include: email notifications about login attempts you didn't make, unfamiliar devices appearing in your account's security settings, password reset emails you didn't request, and unexpected changes to your account details.
Most major services — Google, Apple, Facebook, Amazon — have security dashboards where you can see recent login activity and connected devices. Review these occasionally and remove anything you don't recognise.
Some password managers and email providers (Apple's iCloud, SimpleLogin, and others) offer email aliasing: you sign up for services using a unique email address that forwards to your real inbox. If that alias appears in a breach, you know exactly which service was compromised. You can disable the alias to stop spam. And your real email address remains clean.
This is an advanced technique, but it's genuinely valuable for understanding your exposure.
Credential stuffing is possible because of the combination of widespread data breaches and widespread password reuse. Neither of those conditions is going away soon. The number of breached credentials in criminal circulation grows every year; as we covered in our deep dive on the 23andMe breach, even services that handle extremely sensitive data have been compromised.
Password reuse persists because creating and remembering unique passwords for every service is genuinely difficult without tooling to help. The long-term solution involves both better security tooling (password managers, passkeys, hardware authentication) and better security practices from the services that hold our data (proper password hashing, anomaly detection on logins, aggressive MFA prompting).
In the meantime, the most effective thing any individual can do is to break the link between breaches. One strong, unique password per account — stored in a password manager, protected by multi-factor authentication — means that a breach at one service doesn't become a breach everywhere. It's not a perfect system. But it transforms credential stuffing from a viable attack against you into a dead end.
References:
A good password manager is the single most effective step most people can take to improve their digital security. We tested the leading options across ease of use, security model, cross-platform support, and price.
VPNs are marketed as essential privacy tools. The reality is more nuanced: they solve specific problems well, and are often irrelevant for the threats most people actually face. We break down when a VPN helps — and when it doesn't.
A credit freeze is the single most powerful tool available to protect yourself from identity theft — and it's free. Here's exactly how to freeze your credit at every major bureau, what it actually does, and how to lift it when you need to apply for credit.
