Brute force guesses passwords. Credential stuffing already has them.
That distinction matters because the defenses are different, and most people conflate the two. If you lock an account after five failed attempts, you stop a brute force attack. You do almost nothing to stop credential stuffing.
What Credential Stuffing Actually Is
When a company gets breached and loses its user database, those credentials get sold, traded, and published. Have I Been Pwned tracks over 14 billion compromised accounts as of 2026. That number grows every month.
Attackers take those leaked username and password combinations and run them against other services. The bet they are making: most people reuse passwords. Studies consistently put password reuse rates above 60 percent. On a list of one million leaked credentials, that means 600,000 of them will open an account somewhere else.
The process is automated. Tools like OpenBullet and Sentry MBA accept a credential list and a target site, then test each combination at scale, rotating proxies to avoid IP-based rate limiting. A well-configured attack can test tens of thousands of credentials per hour without triggering standard lockout policies.
Why Account Lockout Fails Here
Brute force attacks fail individual guesses repeatedly against the same account until they find the password. That pattern is easy to detect. Five failed attempts, lock the account.
Credential stuffing uses valid passwords. The failure rate on a good credential list is low, which means the attack does not produce the failure signal that lockout policies watch for. The attacker is not guessing. They are confirming.
In 2019, Disney+ launched and within hours thousands of accounts were being sold on hacking forums. The passwords were correct. Disney had not been breached. Attackers had simply run credential lists from other breaches against Disney+ accounts and found that a percentage of users had reused their passwords.
Akamai’s 2020 State of the Internet report recorded 193 billion credential stuffing attacks across the year. That is not a niche threat.
What Actually Stops It
Multi-factor authentication. A valid username and password combination is not enough to log in if the account requires a second factor. This is the most effective control. A stolen password without the second factor is useless.
Breach monitoring. Services like Have I Been Pwned offer an API that lets applications check whether a submitted password appears in known breach databases. If someone tries to log in with a password from a known breach, block it and force a reset regardless of whether it is “correct.”
Behavioral analysis. Credential stuffing attacks tend to come from unusual geographies, use headless browsers, and produce login patterns that differ from normal users. Velocity checks on successful logins, not just failed ones, can surface this.
Credential alerts. Password managers like 1Password and Bitwarden now monitor whether stored credentials appear in breach databases and alert users. The fix requires users to actually change the reused password, which is a social problem as much as a technical one.
The Real Problem
The reason credential stuffing works is not that attackers are sophisticated. It is that password reuse is endemic and most authentication systems were not designed to account for the existence of leaked credential databases at this scale.
The attack has been viable since at least 2014, when a credential stuffing toolkit called Blackbullet first appeared. The credential databases have only grown since then. Every major breach adds to the pool that attackers draw from.
Fixing it on the defender side means requiring MFA, checking passwords against breach databases at login, and building detection that watches for the success patterns of credential stuffing rather than just the failure patterns of brute force. The tools exist. Most systems just have not implemented them.
Written by Mario Martinez Jr. (ku5e / Gary7) | TryHackMe Profile | blog.ku5e.com