Credential stuffing is an attack in which stolen username and password pairs are tried against other login systems in the hope that users reused the same credentials.
Credential stuffing is an attack in which stolen username and password pairs are tried against other login systems in the hope that users reused the same credentials. In plain language, it exploits password reuse across different services.
Credential stuffing matters because many users reuse passwords across personal and work systems. That means a breach somewhere else can create risk for systems that were not originally compromised.
It also matters because the attack can bypass some common assumptions. If the username and password pair is real, the sign-in attempt may look like ordinary login traffic until the surrounding pattern becomes clear.
Credential stuffing appears in identity monitoring, login abuse defense, Conditional Access, Account Lockout tuning, and Multi-Factor Authentication strategy. Teams connect it to Brute Force Attack, Password Spraying, Phishing, and Phishing-Resistant Authentication.
Security teams defend against credential stuffing with layered controls such as MFA, login anomaly detection, session protection, bot mitigation, and response processes for known-compromised accounts.
An attacker obtains credential pairs from a breach unrelated to your organization and tries those same pairs against a company VPN or SaaS login page. If employees reused the same passwords, some of the attempts may succeed even though the company itself did not originally leak the credentials.
Credential stuffing is not the same as a Brute Force Attack. Brute force guesses many possible passwords. Credential stuffing uses credential pairs that were already valid somewhere else.
It is also different from Password Spraying. Password spraying tests a small set of common passwords across many accounts, while credential stuffing uses known username and password combinations.