Credential Stuffing: How One Breach Unlocks a Hundred Sites
somewhere out there is a website you forgot about. a forum you joined once, a shop you ordered from years ago, a service that quietly closed and never told you. you set a password there, and at some point that site got breached and your email and that password ended up on a list.
months or years later, someone you will never meet loads that list into a machine. it tries your email and that old password against your real inbox, and it opens. then it tries your bank, which uses the same password because you reused it, and that opens too. you did nothing wrong today. the mistake was made long ago, on a site you don’t even remember, and it just came due.
that is credential stuffing, one of the most common attacks on the internet and one almost nobody outside security has heard named. here is how a single breach somewhere turns into a stranger standing inside a hundred of your accounts.
what credential stuffing actually is
credential stuffing is exactly what it sounds like. attackers take a huge list of leaked username and password pairs and stuff them into the login form of some unrelated site to see which ones still work.
the key word is reuse. the attacker is not guessing. they already hold a real password that a real person really used somewhere, and they are betting that person used it in more than one place. over and over, that bet pays. this is what separates stuffing from old-fashioned password cracking. nothing is being broken. valid passwords are simply being tried in new doors.
where the lists come from
every few weeks a company gets breached and a database of accounts leaks. sometimes it’s a famous brand, sometimes a site you’ve never heard of. those records get traded, merged, and compiled into enormous combination lists, often called combo lists.
these are not small. some lists hold billions of email and password pairs, scraped together from hundreds of separate breaches over a decade. the password you set years ago doesn’t expire just because the company that lost it went quiet. and the lists keep getting richer, cleaned and deduplicated until what reaches an attacker is a curated product, sorted and ready to feed straight into a machine.
why password reuse is the whole game
a normal person has dozens, maybe hundreds, of online accounts. remembering a different password for every one feels impossible, so most people don’t. they pick a password they like, maybe with a small twist, and use it almost everywhere.
that single human habit is the entire foundation of the attack. if everyone used a unique password on every site, a breach at one company would stay contained to that company. the leak would be a local fire. reuse is what turns a local fire into a wildfire, because the same key now opens doors all over the internet.
the math that makes it worth it
the success rate of credential stuffing is tiny. on most sites, only a fraction of one percent of the credentials in a list will actually work. that sounds like failure, until you look at the size of the list.
if you try ten million leaked pairs against a site and one in a thousand still works, that is ten thousand live accounts from a single run against a single target. no encryption was broken. the attacker just typed in passwords that were already valid, at a scale no human could match.
and a live account has value. it might hold a saved card, a balance, loyalty points, or a mailbox full of reset links to everything else. accounts the attacker has no personal use for still get sorted and sold in bulk, a bank login worth more than a streaming login. at this volume, a rounding-error success rate still pays.
automation and hiding the bots
no person sits there typing passwords. the whole thing runs on software, bots that hit the login endpoint thousands of times a second, feeding in pair after pair and logging which ones come back successful. to the machine it’s just a loop: load a credential, send it, read the response, record the result, move on.
the harder problem isn’t trying passwords, it’s trying them without the pattern being obvious. a million login attempts from one computer gets blocked instantly, so the traffic gets scattered across thousands of different addresses, often residential ones that look like ordinary home connections. each address makes only a handful of attempts, so a flood of millions can be dressed up to look like a normal day of forgetful users.
what it looks like to the victim
from where you sit, there is no event. no alarm, no broken window. one day your account simply belongs to someone else, or worse, it still belongs to you and someone else is quietly inside it reading your mail.
the first sign is usually downstream. a charge you didn’t make. a reset email you didn’t request. a friend asking about a strange message from your account. this is why the email account matters more than any other. it isn’t just one account, it’s the recovery point for all the rest. control someone’s inbox and you can request resets for their bank, their shopping, their social accounts, and catch each link as it lands. one stuffed password on an email account can quietly become every account.
how defenders catch it
defenders are not blind. credential stuffing leaves a very particular signature once you know what to look for, and the whole defensive game is telling a bot working through a list apart from a real person logging in.
the cleanest tell is velocity and shape. one account, one device, a few attempts is human. ten thousand different accounts probed from the same patch of network in a few minutes, each tried exactly once, is not. a related signal is impossible travel: an account logging in from one city and then, ninety seconds later, from another country no human body could reach in that time. systems watch for those physically impossible jumps and flag the account for an extra check or a forced reset.
defenders also study how the request behaves. a real browser carries a thick trail of signals: screen size, fonts, timing, the imperfect rhythm of human typing. a bot script often arrives thin, too clean, too fast, repeating the same shape every time. device fingerprinting ties those signals into an identity for the machine itself, so when a thousand logins share one identical fingerprint, the site can see it’s really one actor wearing a thousand masks and block it everywhere at once.
one more move turns the attackers’ own data against them. with the same leaked-password lists, a security team can check whether their users hold a password that already appears in a known breach, and require a change before it can be stuffed elsewhere. some login systems do this the moment you sign in, comparing your password against billions of known leaked ones without ever seeing it in the clear.
the real circuit breaker
all of those defenses raise the cost and catch a great deal. but one control breaks the attack at its root, and it is multi factor authentication.
multi factor means a password alone is not enough. even with your exact, correct, leaked password in hand, the attacker hits a second wall: a code from your phone, a prompt on your device, a physical key. they have the right key and the door still won’t open, because the lock now asks for something they don’t have. attackers know this, so they sort their results and skip the accounts that ask for a second factor, because fighting that wall isn’t worth it when millions of softer targets sit in the same list. the attack flows around protection like water finding the cracks, and the accounts that get taken over are almost always the ones guarded by a password and nothing else.
the thread that unravels everything
step back and the shape is simple and a little unsettling. one habit, reusing a password. one forgotten site that leaks. out of those two ordinary things, a stranger can end up holding a hundred of your accounts, none of which they ever had to break into directly.
the password itself is never the real danger. the danger is the reuse, the invisible wire running from a forgotten forum to your email to your bank. so here is the protective version, and it is genuinely within your control. use a different password for every account that matters, especially your email, because your email is the master key that resets everything else. you cannot remember dozens of unique passwords, and you are not supposed to. that is what a password manager is for: it makes and stores a long unique password for every site so you never reuse one and never have to recall one. then turn on multi factor authentication everywhere it’s offered, starting with your email and your bank. that single setting is the circuit breaker that makes a leaked password just a dead password instead of an open door.
The Hidden Internet takes apart the systems that quietly run the modern web, explained from the inside. No products, just the machinery. Subscribe on YouTube.