How credential stuffing works
The attack is cheap, automated, and scales to billions of attempts. The pipeline looks like this:
- Acquire a combo list. Attackers buy or download “combolists” — huge files of email/username and password pairs aggregated from past breaches.
- Automate the replay. Bots submit each pair to login pages across hundreds of sites, rotating through proxies to dodge rate limits and IP blocks.
- Harvest the hits. Because password reuse is common, a small percentage of attempts succeed. Even a 0.1% success rate on a million-record list is a thousand hijacked accounts.
- Monetize. Valid accounts are drained, resold, used for fraud, or mined for more personal data to fuel the next attack.
Crucially, credential stuffing is different from a brute-force attack. Brute force guesses passwords blindly; credential stuffing replays passwords that are already known to be real — which is why it works so well.
Why it succeeds so often
The attack exists because of one human habit: password reuse. Surveys consistently find that most people reuse passwords across multiple accounts, and many reuse a single password across dozens. Every reused password is a shared key — break one lock and you’ve opened them all. Attackers don’t need to defeat a site’s security if the front door opens with a password the user handed them via an unrelated breach years ago.
Real-world impact
Credential-stuffing campaigns have hit streaming services, food-delivery apps, retail loyalty programs, and financial platforms — anywhere accounts hold stored value, payment methods, or personal data. Victims often discover the intrusion only when they see unfamiliar orders, drained balances, or a lockout notice. Because the attacker used your real password, the login looks legitimate, which is why these takeovers can go unnoticed for weeks.