What is Credential stuffing?
An automated attack where the attacker tries username/password pairs leaked from other breaches against your login endpoint. Works because users reuse passwords. Detected by anomaly in login attempts or success rate.
Full explanation
Credential stuffing is one of the most common automated attacks against web applications. The attacker feeds a list of leaked email/password pairs (sourced from breaches of OTHER services) into your login endpoint at high volume; users who reuse passwords across services see their accounts compromised. The defense is layered: rate limiting on login attempts, MFA enforcement, anomaly detection on login success patterns, and password-reuse warnings on signup. WebAuthn / passkeys are structurally immune (no shared secret to leak).
Example
Attack from a botnet of 10,000 IPs each attempting 5-10 logins per minute against your /api/login endpoint. Each request looks like a legitimate user — the volume is what makes it credential stuffing. Defense: rate limit by IP + by email + by global volume; flag any sudden spike in successful logins; require MFA on accounts that show login from new geo/IP.
Related
FAQ
Is rate limiting by IP enough?
No — modern credential-stuffing botnets use residential proxies that rotate IPs every few requests. Layer defenses: per-IP rate limit + per-email rate limit + global success-rate anomaly detection + MFA enforcement on suspicious logins. WebAuthn / passkeys eliminate the underlying shared-secret problem.
How do I know if I'm being credential-stuffed?
Sudden spike in login attempts, unusually high failure rate, login successes from geo/IP combinations not seen before for that user, password-reset requests at high volume. Application logs + a dashboard on login metrics catch most cases. Securie's L13 SDP correlates these patterns post-event.