Credential Stuffing
An attack that takes usernames and passwords leaked from one breach and replays them against unrelated sites, exploiting password reuse.
Credential stuffing replays username/password pairs harvested from past data breaches against other services, betting that users reused the same credentials. Unlike brute force, the attacker is not guessing; they are testing known-valid pairs, so each attempt has a meaningful hit rate (typically 0.1-2%). It is automated with tools like Sentry MBA against login endpoints, mobile APIs, and IMAP. Defences include MFA (the single most effective control), breached-password screening with the Have I Been Pwned API, device fingerprinting, IP reputation, and detecting low-and-slow patterns that bypass per-IP rate limits.
Reference
Related terms
See also
Referenced on
- At the /login or /signup boundary:
- Brute-force defense for wp-login.php
- DNS Hijacking Explained: How Attackers Take Control of Your Domain's Resolution
- Email Blacklist Checker
- How to Report Brute Force SSH and RDP Attacks: Log Evidence and Abuse Report Templates
- Port Scanner
- The Shrinking Perimeter: Common Service Exposure Across IPv4