Back to Blog
Threat Intelligence8 min readDec 28, 2024

How Credential Stuffing Attacks Work and How to Stop Them

Credential stuffing attacks weaponize breach data to hijack accounts at scale. Learn how ATO works and how to defend against it.

S

Security Research Team

Revealer.US

Credential stuffing is the quiet workhorse of modern account takeover (ATO). While ransomware grabs headlines, attackers are running automated login campaigns around the clock, testing billions of username and password pairs harvested from breach data against every consumer and enterprise login endpoint on the internet. The attack is cheap, trivially scalable, and brutally effective because of one stubborn human habit: password reuse. This guide breaks down how credential stuffing works, why it keeps succeeding, and the defensive stack that actually stops it.

What Credential Stuffing Actually Is

Credential stuffing is a subset of brute-force attack cataloged by MITRE ATT&CK as T1110.004. Instead of guessing passwords, attackers replay known valid username and password combinations—leaked from prior breaches—against unrelated services. The logic is simple: if a user's Netflix password leaked in a 2022 forum dump, there is a meaningful probability the same password unlocks their bank, corporate SSO, or cloud console.

It is important to distinguish credential stuffing from its cousin, credential spraying. Credential spraying takes one common password (Summer2024!, Welcome1) and tries it against many usernames, typically to evade account lockouts. Credential stuffing takes many specific username and password pairs and tries each one exactly once on the assumption that the pair is already valid somewhere. Both are automated, both drive ATO, and both are mitigated with overlapping controls—but defenders need to recognize the difference when reading logs.

Why Credential Stuffing Keeps Working

The attack persists because the economics favor the attacker at every step:

  • Supply is infinite. Combolists circulating on Telegram, cracked forums, and stealer log marketplaces routinely contain billions of records. Revealer.US tracks more than 8.4 billion unique credential pairs across 400+ sources, and that pool grows every week.
  • Password reuse is universal. Multiple large studies have found that 60 to 70 percent of users reuse passwords across at least one other account. For mid-tier consumer services, a well-curated combolist will have a hit rate of one to three percent—more than enough to make the campaign profitable.
  • Bot infrastructure is cheap. Residential proxy networks rent rotating IPs for a few dollars per gigabyte. Headless browser frameworks solve basic JavaScript challenges. CAPTCHA-solving services clear reCAPTCHA for fractions of a cent.
  • Monetization is instant. A verified account can be resold in hours on underground markets, drained of loyalty points, used to launder stolen cards, or pivoted into higher-value corporate systems.

The Role of Infostealers

A significant portion of modern credential stuffing fuel comes not from old SQL dumps but from fresh infostealer logs. Families like RedLine, Lumma, Vidar, and StealC siphon browser-stored passwords, session cookies, and autofill data from infected endpoints and publish them within hours. That means the credentials being stuffed against your login endpoint today may have been valid on the victim's machine this morning, bypassing the assumption that breach data is stale.

The Attacker Playbook Step by Step

Understanding the operational flow helps defenders know where to intervene. A typical credential stuffing campaign proceeds through six stages:

  1. Acquisition. The attacker buys or scrapes combolists from breach aggregators, Telegram channels, or stealer log shops. Lists are often tagged by country, service, or freshness.
  2. Curation. Raw combolists are deduplicated, filtered by target domain, and sometimes enriched with metadata like last-seen dates or associated cookies.
  3. Target selection. Attackers identify login endpoints with weak controls—legacy APIs, mobile app backends without bot protection, password reset flows, or OAuth token endpoints that skip CAPTCHAs.
  4. Infrastructure setup. Tools like OpenBullet, SilverBullet, and SentryMBA are configured with custom configs ("configs") that handle the target's authentication flow, including any JavaScript tokens or header quirks.
  5. Execution. The stuffer runs at controlled velocity, distributing requests across thousands of residential IPs to stay under rate limits and blend with legitimate traffic. Successful hits are written to a "hits" file.
  6. Exploitation. Verified accounts are cashed out, resold, or used as footholds. In enterprise contexts, a single hit on an employee SSO can cascade into full domain compromise.

MFA Bypass Techniques

Defenders sometimes assume multi-factor authentication renders credential stuffing obsolete. It does not. Modern ATO crews routinely bypass MFA using:

  • Session cookie theft from infostealer logs, which skips the login entirely
  • MFA fatigue (push bombing) until an exhausted user approves
  • SIM swap to intercept SMS OTPs on high-value targets
  • Adversary-in-the-middle phishing kits like Evilginx and Tycoon that proxy legitimate MFA prompts
  • Help desk social engineering to reset MFA enrollment

MFA is necessary. It is not sufficient.

Detection Signals That Actually Catch It

Credential stuffing generates a recognizable fingerprint in authentication logs, but only if you know where to look. The most reliable signals are:

  • Failed login velocity anomalies. A sustained spike in failed logins—especially across many distinct usernames—is the clearest indicator. Baseline normal failure rates per endpoint and alert on multi-sigma deviations.
  • Geographic impossibility. Successful logins for the same account from two cities in quick succession, or a sudden shift in the geographic distribution of login traffic, both point to automation.
  • User agent and TLS fingerprint entropy. Stuffing tools tend to either reuse a narrow set of user agents or cycle through implausible combinations. JA3 and JA4 TLS fingerprints often reveal headless browser frameworks.
  • Timing patterns. Human logins cluster by time of day and regional activity. Bot traffic is flat and runs 24/7, often at machine-precise intervals.
  • Success ratio shifts. A normal login endpoint has a failure rate of five to fifteen percent. A stuffing wave can push that to 90 percent or higher within minutes.
  • Credential freshness correlation. When failed usernames correlate with accounts that recently appeared in breach data, you are almost certainly watching a stuffing campaign in progress.

The Defense Stack That Actually Stops ATO

No single control stops credential stuffing. The defense is layered, and each layer raises the attacker's cost until the campaign becomes unprofitable.

1. Eliminate Password Reuse at the Source

The root cause is users reusing breached passwords. Enforce a compromised-password check at registration and password change using a maintained breach corpus. Revealer.US continuously monitors for exposed credentials across 400+ sources, letting security teams block known-compromised passwords before they become a stuffing target.

2. Strong, Phishing-Resistant MFA

Deploy FIDO2 or WebAuthn wherever possible. Passkeys, hardware tokens, and platform authenticators are immune to replay, push bombing, and adversary-in-the-middle kits. Treat SMS OTP as a fallback, not a control.

3. Bot Management and Rate Limiting

Deploy a bot management solution that combines device fingerprinting, behavioral biometrics, and TLS fingerprinting. Enforce aggressive per-IP, per-ASN, and per-account rate limiting on all authentication endpoints—including mobile APIs, password reset, and OAuth token endpoints that are often forgotten.

4. Risk-Based Authentication

Score every login attempt on device reputation, geolocation, time of day, and network origin. Step up to MFA or deny outright on high-risk scores. Low-friction for legitimate users, high-cost for attackers.

5. Credential Exposure Monitoring

Subscribe to a breach monitoring feed that ingests stealer logs and combolists in near real time. When an employee or customer credential surfaces in the wild, force a password reset before the credential gets weaponized. This closes the window between breach and exploitation from weeks to hours.

6. Account Takeover Response Playbook

When ATO succeeds despite defenses, speed matters. Pre-build a runbook that covers session invalidation, password reset enforcement, customer notification, fraud reversal, and forensics. Rehearse it. The difference between a minor incident and a headline breach is usually measured in hours.

Conclusion

Credential stuffing is not going away. As long as breach data flows freely and users reuse passwords, automated ATO will remain the cheapest path into accounts. But the attack is also one of the most defendable threats in the modern stack—provided defenders layer controls correctly, monitor for credential exposure, and treat MFA as a floor rather than a ceiling.

The organizations that lose to credential stuffing are almost always the ones that treated it as a bot problem instead of an identity problem. Fix the identity layer, starve the attack of reusable credentials, and the stuffers will move on to easier targets.

Want to shut down credential stuffing and account takeover before they hit production? Start a free trial of Revealer.US and monitor your workforce and customer credentials across 8.4 billion exposed records.

PreviousMonthly Threat Landscape Report: January 2025NextThe Economics of Cybercrime: Why Credentials Are the New Currency

Related Articles

View all
Threat Intelligence

Dark Web Monitoring: What Every CISO Needs to Know in 2025

Dark web monitoring in 2025 has moved beyond Tor forums. Here is what CISOs need to know about modern threat intelligence sources and signals.

8 min read
Threat Intelligence

Ransomware-as-a-Service: How RaaS Reshaped the Threat Landscape

Ransomware-as-a-Service turned extortion into a franchise business. Explore how RaaS affiliate models work and how to build modern ransomware defense.

9 min read
Threat Intelligence

Session Hijacking via Stolen Cookies: The Silent MFA Bypass

Session hijacking with stolen cookies lets attackers bypass MFA entirely. Inside the infostealer economy and how to defend session tokens.

9 min read
Get Started

Ready to check your exposure?

Create a free account and search >21 billion records.

Start Free