Anomirasecurity
Get started free
Academy/Authentication/Credential Stuffing
Critical severityAuthentication

Credential Stuffing

Attackers take huge lists of usernames and passwords leaked from other websites and automatically try them on your login page. Because most people reuse passwords, a surprising number of these attempts succeed — without the attacker ever having to guess anything.

Think of it this way

Imagine someone found a keyring dropped on the street with 50 keys and a label saying 'works on Gmail and Facebook'. They walk up to your front door and try every key in the ring. Credential stuffing is exactly that — keys stolen from someone else's breach being tested against your lock.

How it works

Data breaches happen constantly. When a company is hacked, their user database — emails and (often poorly hashed) passwords — ends up for sale on the dark web. Attackers buy these lists, which can contain hundreds of millions of credentials. They run automated tools that fire login attempts against your API, using the real email and password combinations from those breaches. The success rate is typically 0.1–2%, but on a list of 10 million credentials that is still up to 200,000 compromised accounts.

Real-world scenarios

Scenario 1

E-commerce account takeover wave

An attacker uses a list of 2 million credentials leaked from a food delivery app breach. They test all 2 million against a fintech's login API overnight. 8,000 accounts share the same password and are successfully taken over before anyone notices.

Scenario 2

SaaS trial abuse

Stolen credentials are used to log into a SaaS platform, access customer data stored in those accounts, and scrape it for competitive intelligence — all appearing as normal user activity.

Scenario 3

Fund theft

On a wallet app, 300 successful stuffing logins lead to immediate withdrawal requests to mule accounts. The window from first login to fund transfer is under 4 minutes per account.

How Anomira detects this

Anomira detects credential stuffing through a combination of signals: high volume of login attempts from a single IP or a distributed network of IPs, an unusually high ratio of failed-to-successful logins, and requests that follow no human-pacing pattern (all identical intervals, no browsing between attempts).

What to do

  • Enable multi-factor authentication — a stuffed password is useless without the second factor.
  • Monitor your failed-login ratio; a spike above 30% failure is a strong signal.
  • Subscribe to breach notification services (Have I Been Pwned API) and proactively reset passwords found in breaches.
  • Block Anomira-flagged IPs immediately and review the accounts they successfully accessed.
  • Consider passwordless login (magic links, passkeys) which is immune to stuffing.

Related attacks

High

Brute Force Attack

Automatically guessing passwords until one works.

Critical

Account Takeover (ATO)

A confirmed break-in — someone else is controlling your user's account.

Critical

Geo Velocity Attack

A user appearing in two countries at the same time — physically impossible.

See this attack in your live API traffic

Anomira detects credential stuffing automatically — no configuration needed.

Start monitoring free Browse all attacks →