What is credential stuffing?

Credential stuffing is an automated attack that takes username/password pairs stolen from one company's data breach and tries them, at massive scale, against the login page of a completely different, unrelated site. It works only when someone reused the same password on both — no hacking of your target site required, no guessing, just testing pairs that are already known to be real.

How it actually works

Attackers load a "combo list" — a file of stolen email/password pairs pulled from past, unrelated data breaches — into automated tools built specifically for this purpose (Sentry MBA and OpenBullet are the two most commonly cited in security research). The tool submits each pair to a target site's login form, routing requests through thousands of rotating residential proxy IPs and randomized browser fingerprints so no single IP or device looks suspicious. Any pair that successfully logs in gets flagged as a hit and harvested for whatever's in that account.

Credential stuffing vs. brute force vs. password spraying

These three get conflated constantly, and the difference is the whole point. Brute force tries every possible character combination against one account — no stolen data involved, just guessing. Password spraying tries a small list of common passwords ("Password123", "Summer2024") against many accounts, to avoid lockouts triggered by repeated failed attempts on one account. Credential stuffing is neither guessing nor brute forcing — every pair it tries is a real, previously valid password, just for a different site. That's what makes it so effective despite requiring no cleverness at all.

Why a 0.2% success rate still breaks companies

Security researchers consistently cite a credential stuffing success rate between 0.2% and 2% — meaning 98–99.8% of attempts fail outright. That sounds like a non-threat until you factor in volume: a combo list with 10 million stolen pairs tested against a single site, even at a 0.2% hit rate, yields 20,000 working logins. Combo lists in circulation today run into the billions of entries, compiled from over a decade of accumulated breaches — one analysis of 19 billion leaked passwords found 94% were reused or duplicated across different accounts, which is the exact condition credential stuffing depends on to work at all.

The 23andMe case: 14,000 stolen logins turned into 6.9 million exposed profiles

This is the clearest real-world example of why credential stuffing is dangerous even when the target company's own systems were never actually breached. Starting April 29, 2023 and continuing for roughly five months, an attacker fed stolen username/password pairs from older, unrelated breaches into 23andMe's login page. 23andMe's own systems were never compromised — every successful login was a real account whose owner had reused a password exposed somewhere else.

The attacker directly compromised approximately 14,000 accounts this way — under 0.1% of 23andMe's user base. The damage multiplied from there because of a specific product feature: 23andMe's opt-in "DNA Relatives" tool let each compromised account see genetic and profile data belonging to other users who'd connected with them, which turned 14,000 stolen logins into roughly 6.9 million exposed profiles — including ancestry data, birth years, and geographic locations. 23andMe didn't discover the breach internally; it found out in October 2023 when stolen data appeared for sale on a hacking forum, despite an internal team having dismissed an unusual spike in account activity as an isolated incident two months earlier. The company filed for Chapter 11 bankruptcy in March 2025, with the breach cited as a contributing factor in the fallout that followed.

The lesson isn't "genetic data is uniquely risky." It's that credential stuffing's damage is often capped not by the number of stolen passwords that work, but by whatever a compromised account can see or reach once an attacker is inside it. A feature that links accounts together turns a small number of successful logins into a much larger breach.

How sites actually defend against it

DefenseWhat it does
Breached-password screeningChecks new and existing passwords against known-breach databases (the approach NIST SP 800-63B recommends) and blocks or forces a reset for any match
Rate limiting + behavioral analysisFlags patterns beyond just request volume — timing, device fingerprint consistency, and login velocity across accounts, since attackers route around simple per-IP limits
CAPTCHA / proof-of-work challengesAdds friction that's cheap for a real human but expensive to solve at the scale automated tools operate at
Mandatory MFAMakes a correctly-guessed password insufficient on its own — 23andMe didn't require this at the time of its breach and made it mandatory immediately afterward

How to protect your own accounts

Is credential stuffing the same thing as a data breach?

No — it's what happens after one. A data breach is the original theft of usernames and passwords from some company's database. Credential stuffing is a separate, later attack that takes those already-stolen credentials and tests them against a completely different, unrelated site, betting that some victims reused the same password.

How do attackers get billions of stolen credentials to test in the first place?

From combo lists — compiled files of email/password pairs pulled from years of unrelated data breaches, traded and sold on criminal marketplaces and forums like BreachForums. Some lists in circulation contain tens of billions of credential pairs, aggregated from hundreds of separate breaches going back over a decade.

Does a strong, unique password fully protect me from credential stuffing?

Yes, functionally. Credential stuffing only works when a password an attacker already has matches the password on the account being targeted. A password that has never been reused anywhere else has no combo list it could appear on, which makes this specific attack a non-issue for that account — regardless of how "strong" the password looks.

Can rate limiting alone stop credential stuffing?

Not against a serious attacker. Basic rate limiting blocks one IP address making rapid attempts, but credential stuffing tools route attempts through thousands of residential proxy IPs and rotate device fingerprints, making each individual attempt look like an unrelated, ordinary login from a different real user. Effective defenses combine rate limiting with behavioral analysis and known-breached-password screening, not rate limiting alone.

Do passkeys eliminate credential stuffing risk entirely?

Yes, structurally. Credential stuffing depends on a password existing to be stolen, reused, and tested. A passkey replaces the password with a cryptographic key pair tied to your device — there's no shared secret sitting in a breached database anywhere for an attacker to feed into a combo list. An account secured only by a passkey, with no password fallback enabled, cannot be credential-stuffed.