The Anatomy of a Credential-Stuffing Attack

Updated on June 7, 2026

In October 2013, Adobe admitted that hackers had walked off with 153 million user records. The company encrypted the passwords — sort of — but used a broken algorithm, and within weeks researchers had cracked tens of millions of them. The interesting part isn't what happened to Adobe's own users. It's what happened next, across dozens of other websites those users had never thought about when they typed their password into an Adobe login box.

That downstream cascade is credential stuffing. It's not glamorous hacking. There's no zero-day exploit, no social engineering, no phishing. It's closer to industrial agriculture than cat burglary: automated, systematic, and quietly devastating at scale.

How Breached Lists Travel From Server to Attacker

When a database gets exfiltrated, the stolen data doesn't go straight to one criminal. It moves through a layered underground economy. The initial breach team might sell a fresh dump on a private forum — sometimes for thousands of dollars if the site is a big name. Over months, copies proliferate. Someone posts a partial version to prove authenticity, negotiating with buyers. Eventually a cleaned-up, deduplicated "combo list" — email:password pairs, ready to run — finds its way to public leak forums, Telegram channels, or dark web repositories where anyone can download it for a few dollars or sometimes nothing.

By the time a combo list is circulating freely, it might contain records from dozens of separate breaches merged into one file. The famous "Collection #1" that researcher Troy Hunt analyzed in 2019 contained 773 million unique email addresses and over 21 million distinct passwords, assembled from at least 2,000 previous breaches. One file. Twenty-one million passwords people had used somewhere, at some point.

The Automation Layer: Tools That Do the Dirty Work

Trying those credentials manually is obviously impossible. Attackers use specialized tools — SentryMBA, OpenBullet, and more recently STORM and Snipr are names that show up repeatedly in security research — to automate login attempts at scale. These aren't crude scripts. They handle JavaScript challenges, solve or farm out CAPTCHAs, rotate through residential proxy networks to distribute requests, and parse success indicators from HTML responses or HTTP status codes.

A mid-tier credential stuffing operation might attempt logins against a single target site at a rate of a few hundred per minute, distributed across hundreds of IP addresses. Anything faster tends to trip rate limiters. Anything slower is just leaving money on the table. The operators treat this like a business with margins: combo list cost, proxy subscription, compute time, versus expected yield from successful account takeovers.

Success rates are low. Across the industry, estimates cluster around 0.1% to 2% for fresh, well-targeted combo lists — meaning for every thousand attempts, ten to twenty accounts get cracked. Against a list of 100 million credentials targeting a major retail or streaming platform, that's still potentially hundreds of thousands of compromised accounts. And attackers aren't running one campaign. They're running hundreds simultaneously.

What Attackers Actually Do With a Working Account

The monetization varies by site type, which is why attackers maintain different "configs" — essentially per-site attack profiles — for different targets. A working Netflix account gets resold on forums for one to three dollars. A cracked airline loyalty account with 200,000 miles can fetch far more. Gaming accounts with rare skins or in-game currency have dedicated resale markets. Bank accounts are more complex — fraudsters need money mules or specific techniques to extract cash without triggering fraud detection.

Retail accounts are used for gift card fraud or to leverage stored payment methods for purchases sent to reshipping addresses. Healthcare portal accounts are occasionally targeted for insurance fraud. Even email accounts have value — as stepping stones to password reset chains on other services, or for business email compromise scams.

The person whose credential got stuffed often has no idea for weeks or months. They didn't get a breach notification because this breach wasn't of the current site — it was of somewhere else they used the same password, possibly years ago. Their session at the compromised site might look normal. The attacker just wants to quietly drain value, not trigger alarms.

Why Password Reuse Is the Vulnerability, Not the Breach

Here's the counterintuitive piece: the original breach doesn't have to be catastrophic for credential stuffing to succeed. A mid-sized forum breach from 2017, a fitness app that got hit in 2019, a recipe website's poorly secured database — each of these becomes a key-cutting machine for every other site where those users used the same password.

Research from Virginia Tech analyzing 61 million passwords found that roughly 52% of users reused the same password across multiple accounts, and 62% used a "modified" version — adding a number or exclamation point — which credential stuffing tools are now configured to try as variations. Changing "netflix2019" to "netflix2020" when a breach happens provides approximately zero additional protection.

The attack fundamentally exploits human memory. People can't realistically maintain forty or sixty distinct, strong passwords in their heads. So they don't. They pick a pattern, maybe vary it slightly between sites they consider "important," and use something weaker everywhere else. Attackers know this and build their tooling around it.

Detection on the Defender Side (and Why It's Hard)

Website operators face a detection problem: a credential stuffing attack, from the outside, looks like normal login traffic. Each request is technically valid — it's hitting the right endpoint with properly formatted credentials. The volume is deliberately kept under alert thresholds. The IPs are residential proxies, meaning they're clean addresses belonging to real ISPs, not known VPN exit nodes or datacenter ranges that trigger blocklists.

Defenders look for subtle signals: slight increases in failed login rates, unusual geographic distributions of login attempts, devices presenting unusual browser fingerprints, or login velocity patterns that don't match typical user behavior. Some platforms now use behavioral biometrics — how fast someone types, mouse movement patterns — as additional signals. But this is an arms race. Toolkits evolve to mimic normal behavior more convincingly.

What Actually Stops It: The Credential Side

The most effective defense is eliminating the ammunition itself — or at least making it useless. This happens at two levels.

First, unique passwords per site, which requires a password manager in practice. Not "unique" meaning slightly different. Genuinely random, unrelated strings: "xK9#mPqL2$nRvT" for one site, something completely different for the next. When that kills the reuse vector, a breach of Site A cannot become a key to Site B. Period. The credential stuffing playbook falls apart when there's nothing to stuff.

Second, breach monitoring closes the loop. Services like Have I Been Pwned — Troy Hunt's project that now tracks over 14 billion compromised accounts — let individuals check whether their email and associated passwords have appeared in known data dumps. The API is integrated into a growing number of password managers and browsers: when you create a password, it checks whether that exact string has appeared in a breach corpus, without ever sending your actual password to an external server (it uses a clever k-anonymity approach with partial SHA-1 hashes). If your credentials appear in a dump, you know to change them before an attacker tries them.

Password strength matters too, but for different reasons than most people think. A breached hash from a site that used bcrypt might take years to crack, while an MD5 hash falls in seconds. A strong password buys time for breach detection and notification to work — it limits how quickly the combo list gets fully usable. But strength without uniqueness is a partial defense at best.

The Part That Doesn't Get Said Enough

The scale of existing breach data means that for most adults who've been online since the mid-2000s, some version of their credentials is almost certainly in a combo list somewhere. This isn't alarmism — it's straightforward math given the volume of documented breaches. The question isn't really whether your old passwords are out there. It's whether those passwords are still being used anywhere.

Credential stuffing is effective because it exploits a gap between how quickly breaches accumulate and how slowly people update their security habits. The Adobe breach is twelve years old. Credentials from it are still generating successful logins on websites today, against accounts whose owners have forgotten they ever visited Adobe in the first place.

The attack is industrial. The defense, unfortunately, has to be personal: a password manager, genuine uniqueness across accounts, breach monitoring, and multi-factor authentication as a final backstop when the password layer gets defeated anyway. None of this is complicated. Most of it is just inconvenient enough that people delay it indefinitely — which is exactly what keeps credential stuffing profitable, year after year after year.