The TLDR
When a service gets breached and passwords leak, attackers don’t just use them on that one site. They take every email/password combo and try them on thousands of other services — automatically, at scale. This is credential stuffing. It works because people reuse passwords. It works disturbingly well.
How it works
The breach
A database leaks. Could be a hack, could be a misconfigured server, could be an insider. Doesn’t matter how — what matters is the result: millions of email/password pairs are now circulating.
These datasets get sold, traded, and aggregated on forums and dark web markets. Some are free. Some cost less than a coffee.
The attack
Attackers feed these credentials into automated tools — tools purpose-built to try logins across hundreds of services simultaneously. They rotate through proxies to avoid rate limiting. They solve CAPTCHAs with services that cost fractions of a cent per solve.
The tools check:
- Email providers (Gmail, Outlook, Yahoo)
- Banking and financial services
- Social media platforms
- Streaming services (Netflix, Spotify, Disney+)
- Shopping sites (Amazon, eBay)
- Gaming platforms (Steam, PlayStation, Xbox)
A single run can test millions of credentials across dozens of services in hours.
The math
Industry estimates suggest credential stuffing success rates hover around 0.1% to 2%. That sounds low until you do the math:
- 1 billion leaked credentials (a realistic number from aggregated breaches)
- 0.1% success rate
- = 1,000,000 compromised accounts
From a single run.
Why it works
One reason: password reuse.
Studies consistently show that 50-65% of people reuse passwords across multiple services. Many use the same password everywhere. When one falls, they all fall.
The attackers don’t need to hack you. They just need to find the one service in your life that already got hacked — and bet that you used the same password somewhere else.
What you can do
The fix is straightforward but requires changing habits:
- Unique password per service. No exceptions. A password manager makes this painless.
- 2FA on everything critical. Even if a password leaks, the second factor blocks the login.
- Monitor breaches. haveibeenpwned.com lets you check and set up alerts.
The password you set for that random forum in 2014? It’s in a database. If you used it anywhere else, that’s not a question of if — it’s a question of when.
Related Deep Dives
- Authentication Deep Dive — the protocols and mechanisms that credential stuffing exploits