Credential stuffing is the automated attack that takes a list of leaked username-password pairs from one breach and tries them against thousands of other services. Built on the assumption that users reuse passwords across sites, which is correct for the majority of internet users. The attack is industrialized: tooling like Sentry MBA and OpenBullet runs distributed campaigns across proxies, the success rate per attempted credential is small (typically 0.1 to 2%), the volume turns the small rate into industrial output.
What it means in practice
The economics work because the breach corpus is permanent. A credential leaked in the 2012 LinkedIn breach still works against accounts where the user reused the password and never rotated. Modern credential-stuffing operators run continuous campaigns: feed in the latest breach corpus, run against the major services (Netflix, Spotify, banking, exchange, social media), monetize the successful logins (account-takeover sales, gift-card resale, financial fraud, unauthorized service access). The defenses at the service side (rate limiting, captcha, unusual-login detection) reduce success rate but do not stop the attack; the user-side defense (unique passwords per site) breaks the attack model entirely because the breach corpus does not contain the password for the next service.
Who is targeted, and by whom
Targets: every consumer-facing service with login. The successful targets are the users on those services with reused passwords. Operators range from low-skill cybercrime crews running off-the-shelf credential-stuffing kits (the bulk of attempts), to organized crime groups running specialized campaigns against high-value services (banking, crypto exchanges, brokerages), to state-aligned actors using credential stuffing as the initial-access stage of broader operations. The Verizon DBIR consistently ranks credential-related compromise (stuffing plus phishing plus stolen secrets) as the dominant initial-access vector across multiple years; the breach-corpus persistence is what makes credential stuffing remain effective long after individual breaches.
What you can change today
Three actions, 60 minutes. First, audit your password reuse via your password manager’s breach-monitoring feature (1Password Watchtower, Bitwarden Reports, Proton Pass Pass Monitor) or via haveibeenpwned.com’s Pwned Passwords API; the report shows which credentials are reused, breached, or weak. Second, rotate the top 10 to 20 highest-leverage accounts (primary email, financial, password manager, social media that hosts your audience) to unique 20-character random passwords generated by the manager. Third, enable hardware-key 2FA where possible on those same accounts; even if a password leaks in a future breach, the second factor structurally blocks the credential-stuffing attempt.