What is credential stuffing?

Credential stuffing is an automated attack that takes email-and-password pairs from data breaches (available in bulk on dark web markets) and tests them against other services. Because most people reuse passwords, a breach of one site frequently exposes accounts on many others. Attackers run stuffing attacks against banks, email providers, streaming services, and e-commerce sites using residential proxy networks to bypass IP-based rate limiting.

How does phishing differ from credential stuffing?

Credential stuffing uses credentials the attacker already has from breaches. Phishing actively collects new credentials by deceiving users into entering them on fake sites. Stuffing is automated and scale-dependent — it succeeds because of password reuse. Phishing is often targeted and succeeds because of deception. Both ultimately result in account takeover, but they require different defences.

What single defence works against both attacks?

Unique, randomly generated passwords for every account — stored in a password manager — is the primary defence against both. Against credential stuffing: a unique password means that even if one site is breached, no other account is affected. Against phishing: a password manager will not autofill credentials on a phishing domain, providing an automatic alert. The combination of unique passwords plus FIDO2 MFA provides near-complete protection against both attack types.

How do I know if my credentials have been used in credential stuffing?

Check your email address at HaveIBeenPwned.com — this service aggregates known breach datasets and will show you which breaches your email appeared in. If your email appears in a breach, change the password on that site and on any other site where you used the same password. Enable notifications on HIBP to be alerted to future breaches. Many password managers also include breach monitoring as a built-in feature.

Can two-factor authentication stop credential stuffing?

Yes and no. TOTP and SMS MFA stop most automated credential stuffing attacks because attackers cannot also provide the correct OTP at scale. However, some stuffing campaigns include a step that checks whether MFA is enabled and skip those accounts as not worth the effort — they have enough valid credentials from people without MFA. FIDO2/WebAuthn also stops phishing-sourced credential reuse. The combination of unique passwords and any form of MFA provides strong protection against stuffing.

Credential Stuffing vs Phishing: Understand Both Threats

Account takeover follows two primary paths: credential stuffing (using already-stolen credentials) and phishing (stealing new ones). They are distinct attacks with different mechanisms but often work together — phishing campaigns collect credentials that are then used in stuffing attacks, and stuffing success motivates attackers to phish for fresher credentials. Understanding both and the single primary defence against each is the foundation of practical account security.

How Credential Stuffing Works

Step 1: A site is breached and its user database is exfiltrated. Step 2: The breach data is sold or published on dark web forums. Step 3: Attackers acquire the data, extract email-password pairs, and run automated tools (OpenBullet, Sentry MBA, and similar) that test each pair against target services. Step 4: Successful logins are verified and monetised — account balances accessed, loyalty points drained, payment methods used, or account access sold.

The Verizon DBIR 2025 reports that credential stuffing and phishing together account for the majority of web application breaches. HaveIBeenPwned catalogues over 14 billion compromised credentials — this is the dataset attackers work from.

How Phishing Works (The Pipeline)

Phishing not only steals credentials — it feeds future stuffing campaigns. Credentials captured by phishing are highly valuable because they are fresh, verified (the user just entered them), and include accounts that may not appear in existing breach datasets. Phishing captures often include session cookies in addition to credentials, enabling immediate account access without requiring MFA.

The One Defence That Addresses Both

Attack	How unique passwords help	How MFA helps
Credential stuffing	A breach of Site A cannot compromise Site B if Site B has a unique password	Valid credentials plus MFA code required — stuffing tools cannot provide both at scale
Phishing	Password manager will not autofill on phishing domain — automatic alert	FIDO2 cannot authenticate on wrong domain. TOTP codes can still be forwarded.

Check your exposure: Visit HaveIBeenPwned.com and enter your email. Any breach result means you should change the password on that service immediately and check whether you used the same password elsewhere. Enable notifications for future breach alerts.

credential stuffing phishing account takeover breach HIBP password reuse

For informational purposes only. Phishing threats evolve constantly — always consult current NCSC, CISA, and your organisation's security team guidance for your specific environment.

← How to Inspect a URL Before Entering Your Passwo What to Do Immediately After a Phishing Attack →