Personal TipsWorkplace Tips

Credential Stuffing Attacks: What They Are and How to Stop Them

Updated:
Learn how credential stuffing attacks work, why the 16 billion credential leak makes them more dangerous than ever, and how IT teams can protect corporate accounts.

Credential stuffing attacks have surged to crisis levels.

In mid-2025, researchers uncovered 16 billion stolen login credentials scattered across 30 exposed databases, the largest credential leak on record. Akamai tracked 26 billion credential stuffing attempts per month in 2024, and Check Point reported a 160% year-over-year increase in compromised credentials entering 2025.

For IT and security teams, understanding how these attacks work and what steps to take right now is no longer optional.

This guide breaks down the mechanics, highlights recent high-profile incidents, and lays out the defenses your organization needs.

What is credential stuffing?

Credential stuffing is a common hacking tactic that uses large sets of stolen usernames and passwords paired with automated software tools to gain unauthorized account access. Hackers methodically input combinations hoping to obtain a match with one or more user accounts, and reused passwords multiply their odds of success.

If you've ever forgotten your password and then tried plugging in other credentials, hoping to guess correctly, then you understand the basic credential stuffing definition.

How credential stuffing works

What is a credential stuffing attack? Credential stuffing is carried out based on a highly organized and consistent set of actions that can eventually lead to a data breach, corporate espionage, or identity theft.

  • It starts with stolen passwords: Despite the stereotype of the lone hacker, a credential stuffing attack isn’t typically carried out by the same person or group who originally stole the usernames and passwords. Instead, an underground industry has evolved for the sale and purchase of credentials on the dark web. The market value of these stolen credentials varies, with online retail and financial accounts considered quite valuable.
  • Bots are used to enter credentials: Automated bots remain the engine behind credential stuffing attacks, but the tooling has evolved significantly. Open-source frameworks like OpenBullet 2 now support customizable attack configurations, residential proxy rotation, and CAPTCHA-solving services. Over 100 attack scripts were published between late 2024 and mid-2025, many designed to exploit API endpoints that lack the same protections as web login forms. These tools allow low-skill operators to test hundreds of thousands of credential pairs while staying below rate-limiting thresholds.

The credential stuffing domino effect

When a cybercriminal finds a match between stolen credentials and user accounts, they don't stop there.

Hackers are well aware that many passwords are reused. When stolen credentials can be used to unlock many accounts, it creates a domino effect that heightens the size and severity of a single data breach.

The 2024-2025 credential leak surge

The credential stuffing threat has escalated dramatically. Verizon's 2025 Data Breach Investigations Report found that stolen credentials drove 22% of all confirmed breaches, making credential-based attacks the single most common initial access vector.

Three developments are fueling this surge:

  • The 16 billion credential leak: In June 2025, Cybernews researchers discovered 30 exposed databases containing a combined 16 billion stolen login credentials, the largest credential compilation ever recorded. The data covered virtually every major online service, from Google and Apple to government platforms, and included fresh infostealer logs with active session tokens.
  • The infostealer malware epidemic: Unlike recycled breach data, infostealer malware families like RedLine, Raccoon, and Lumma harvest credentials directly from infected endpoints in real time. These logs include not just passwords but session cookies, autofill data, and browser-stored tokens, which can enable attackers to bypass MFA. Microsoft reported a single malvertising campaign in late 2024 that attempted to deploy infostealers on nearly one million devices.
  • 160% surge in compromised credentials: Check Point reported a 160% increase in compromised credentials in 2025 compared to the prior year. Infostealer logs and combo lists are now circulating freely on Telegram channels and dark web forums. The supply of weaponizable credentials is growing faster than most organizations can catch and replace them.

Examples of recent credential stuffing attacks

Credential stuffing attacks have hit organizations across every sector. These incidents show just how effective and widespread modern attacks have become:

  • Roku (2024): Two credential stuffing attacks hit Roku in March and April 2024, compromising 591,000 customer accounts total. Hackers used credentials stolen from unrelated breaches to log in, and roughly 400 accounts were used for unauthorized purchases. Roku responded by enabling 2FA across all accounts.
  • Okta (2024): In April 2024, Okta discovered its Customer Identity Cloud cross-origin authentication feature was being exploited in credential stuffing attacks. An unknown number of enterprise customers were affected. Okta issued guidance, including passkey adoption.
  • 23andMe (2023-2025): A 2023 credential stuffing attack using combo lists accessed 6.9 million customer records containing sensitive genetic data. The UK ICO fined 23andMe 2.31 million GBP for failing to require MFA. In March 2025, the company filed for bankruptcy, with the credential stuffing incident cited as a contributing factor. This is a cautionary tale for any organization that treats weak authentication as a minor gap.

How to detect credential stuffing attacks

Credential stuffing has some telltale signs that can be detected early when you're armed with advanced monitoring tools. Signals to keep an eye out for include:

  • Repeated login attempts. One way to prevent credential stuffing is by monitoring traffic for unusual login patterns. Automated attacks might be given away by an unusually high number of login attempts from multiple geographic locations or other behavior patterns associated with machine learning algorithms.
  • High login failure rates. Repetition and persistence are the keys to credential stuffing. Limiting the number of unsuccessful login attempts is a good way to separate human error and forgetfulness from malicious intent. NIST standards recommend lockout policies to limit the number of unsuccessful credential guesses.
  • Malicious IP addresses. Another important clue left behind during credential stuffing attacks is the Internet Protocol (IP) addresses from which the hacks originated. Blacklisting practices can be used to block suspicious IP addresses known to be involved in previous breach attempts. Even when IP addresses are continually cycled to elude detection, improved threat intelligence allows IT and security teams to adapt to these changes quickly.
  • Dark web monitoring. Since passwords are often exchanged on the dark web before they're used for credential stuffing, leveraging a dark web monitoring tool to determine your exposure level is an important part of credential stuffing prevention.
  • API endpoint monitoring. Modern credential stuffing attacks increasingly target API endpoints that lack the same protections as web login forms. Security teams should monitor authentication APIs for anomalous request volumes, unusual user-agent strings, and automated patterns that bypass front-end CAPTCHA and rate-limiting controls.
  • Infostealer log detection. Because infostealers harvest credentials before they appear in traditional breach databases, organizations should monitor for signs of infostealer infections on corporate and BYOD devices. Watch for unexpected browser extension installs, anomalous outbound traffic to known stealer C2 infrastructure, and employee credentials appearing in stealer log marketplaces.

How to prevent credential stuffing attacks

Credential stuffing and password security are closely linked, so the tools and practices you use to improve your password hygiene are essential, along with a few other best practices.

  • Don’t reuse passwords. Repeating old credentials is a common habit. Unfortunately, reusing passwords also decreases password security because multiple accounts can be breached if a reused password is compromised. Password reuse makes us much more vulnerable to credential stuffing attacks by increasing the chances of a successful match.
  • Keep software updated. Software and operating system updates also include patches to correct any known security issues. Hackers take advantage of unpatched software and out-of-date operating systems to gain unauthorized access. A cybercriminal might even scour the internet to find unpatched systems to target. Applying recommended patches and updates helps prevent the data breaches that credential stuffers rely on.
  • Use 2-factor or multifactor authentication. Push notifications and codes sent through an app or text to verify user identity are common examples of 2-factor authentication. This security practice is extremely effective in preventing successful credential stuffing attacks because the hacker is unlikely to have access to the second credential. Multifactor authentication (MFA) uses two or more identifiers for the same purpose, sometimes including biometric factors like fingerprints or facial recognition. 
  • Only share passwords securely. Sharing passwords with friends, family, and coworkers is almost unavoidable. However, it increases vulnerability to password theft when an unencrypted method like a text or Slack message is used for sharing. In addition, sharing passwords exposes everyone in the group if any one of them is impacted by a cybercrime. The best way to share passwords securely is by using the sharing feature of a password manager.
  • For businesses, educate your employees. Employees should be trained to understand the connections between password hygiene and credential stuffing as part of an overall cybersecurity education program. Bring your own device (BYOD) and remote working policies also increase the risk factors for lost or stolen passwords, so all employees should be trained to remain vigilant and report security incidents quickly.
  • Use a password manager. A password manager is an important tool for minimizing the impact of credential stuffing and password attacks. The best password managers raise your security profile by creating strong and unique passwords for each account, then storing them in a secure, encrypted vault. This helps to protect you from hackers who steal or guess at passwords to gain system access.
  • Dark web monitoring. Despite being vigilant, you may not always realize when your information has been compromised. Dark web monitoring helps you scan the hidden recesses of the internet for your personal information and credentials. Dashlane’s Dark Web Monitoring includes up to five email addresses and immediately alerts users if their credentials are detected and need to be changed.
  • Conduct regular credential exposure audits. With billions of credentials circulating on the dark web, reactive password changes after a known breach are no longer sufficient. IT security teams should run proactive data breach checks using tools that scan for employee credentials across infostealer logs, combo lists, and dark web marketplaces. Dashlane's Dark Web Monitoring continuously scans for exposed credentials and alerts admins immediately, giving your team the time to respond before attackers exploit stolen passwords.

Credential stuffing vs. other cyberattacks

Credential stuffing remains one of the most reliable attack methods for cybercriminals, and the economics keep improving in their favor.

According to Verizon's 2025 DBIR, stolen credentials drove 22% of all confirmed breaches, making it the most common initial access vector. What separates credential stuffing from phishing, zero-day exploits, ransomware, and man-in-the-middle attacks is its fundamental dependency on password reuse.

When organizations eliminate reused and weak passwords across their workforce, they neutralize the core input that credential stuffing requires.

References

  1. Dashlane, “What Is Credential Stuffing?” December 2020.
  2. Dashlane, “6 Things a Safe Username Should Always Do,” February 2023.
  3. Dashlane, “The Dark Web Iceberg Explained In Simple Terms,” June 2023
  4. Amazon, “What is a bot?” 2023.
  5. HYPR Encyclopedia, “Credential Stuffing,” 2023.
  6. Investopedia, “General Data Protection Regulation (GDPR) Definition and Meaning,” November 2020.
  7. Dashlane, “A look at Password Health Scores around the world in 2022,” 2022.
  8. CPO Magazine, “Credential Stuffing Attack Impacts About 35,000 PayPal Accounts, Company Says No Unauthorized Transactions Detected,” January 2023.
  9. Dashlane, “Always Change Your Passwords After a Breach,” March 2020.
  10. The Hacker News, “What the Zola Hack Can Teach Us About Password Security,” August 2022.
  11. Dashlane, “The Most Notable Breaches That Kicked Off 2023,” April 2023.
  12. CPO Magazine, “The North Face Credential Stuffing Attack Compromises 200,000 Accounts,” September 2022.
  13. Infosecurity Magazine, “US Car Giant General Motors Hit by Cyber-Attack Exposing Car Owners' Personal Info,” May 2022.
  14. TechTarget, “Manage unsuccessful login attempts with account lockout policy," September 2020.
  15. Auth0, “Protect Your Site from Bots with CAPTCHAs and JavaScript Challenges,” February 2023.
  16. Dashlane, “Dark Web Monitoring: Your Employees Are Likely Using Compromised Passwords,” July 2022.
  17. Dashlane, “Digital Identity 101: Everything You Need to Know,” April 2023.
  18. Dashlane, “7 Password Hygiene Best Practices to Follow,” February 2023.
  19. Dashlane, “How Password Reuse Leads to Cybersecurity Vulnerabilities,” May 2023.
  20. Dashlane, “What Is Password Sharing & When Should I Use It,” February 2023.
  21. Dashlane, “Share your saved items in Dashlane,” 2023.
  22.  Dashlane, “3 Strategies to Prevent Breaches and Hacks at Work,” September 2021.
  23. Dashlane, “A Guide to Protecting Passwords from Hackers,” February 2023.
  24. Dashlane, “How a Password Manager Helps Prevent a Data Breach,” December 2017.
  25. Dashlane, “What the Hack is a Brute Force Attack?” February 2020.
  26. Dashlane, “Dark Web Monitoring,” 2023.
  27. Dashlane, “6 Pros & Cons of a Future Without Passwords,” July 2023.
  28. Dashlane, “2-factor authentication (2FA) in Dashlane,” 2023.
  29. Dashlane, “A look at Password Health Scores around the world in 2022,” 2022.
  30. Dashlane, “8 Hacker Protection Tips To Keep Your Online Accounts Safe,” May 2023.
  31. Dashlane, “How to Switch Your Password Manager to Dashlane,” January 2023.
  32. Cybernews, "16 Billion Credentials Exposed," June 2025.
  33. Verizon, "2025 Data Breach Investigations Report."
  34. Check Point, "The Alarming Surge in Compromised Credentials in 2025."
  35. BleepingComputer, "Roku Credential Stuffing Attacks," April 2024.
  36. Keeper Security, "Four Notable Credential Stuffing Attacks in 2024."
  37. Darknet.org.uk, "Credential Stuffing in 2025," March 2026.
  38. Seraphic Security, "Credential Stuffing: How It Works & Real-World Attacks."
  39. BlackFog, "The World's Largest Credential Leak Hits 16 Billion Records."

Sign up to receive news and updates about Dashlane

Related articles

6 Risks of Using Outdated Technology at Home
Personal Tips

6 Risks of Using Outdated Technology at Home

The Risks of Using a Browser Password Manager
Personal Tips

The Risks of Using a Browser Password Manager

A green and blue background with three blue slanted rectangles in the middle. A white Dashlane logo is overlaid on top.
Personal Tips

How Password Managers Work: A Beginner’s Guide

A green and blue background with three blue slanted rectangles in the middle. A white Dashlane logo is overlaid on top.
Personal Tips

Internet of Things (IoT) Security Practices Can Prevent Breaches

Camera focusing on keyboard
Personal Tips

What Is Keylogging?

passwordless option image
Personal Tips

Two-Factor Authentication vs. Two-Step Verification: What’s the Difference?

A picture of the author: Dashlane
Dashlane

Dashlane provides complete credential security, protecting businesses against the threat of human risk. Our intelligent Omnix™ platform unifies credential protection and password management, equipping security teams with proactive intelligence, real-time response, and protected access to secure every employee. Over 25,000 brands worldwide, including leading enterprises such as Michelin, Air France, and Forrester, trust Dashlane for industry-leading innovations, patented zero-knowledge security, and an unmatched user experience.