Credential stuffing is when attackers use stolen username and password combinations (often from breaches) and test them across other services to find reused passwords.
Why it matters for account recovery
Stuffing matters for recovery because it turns one breach into many compromises. If you reuse passwords, a breach you did not cause can still become your incident.
It also changes the right response. You do not only reset one account. You reset all accounts where reuse existed, starting with the control plane.
Common failure modes and misconceptions
- Password reuse: Reuse is the primary fuel. Without reuse, stuffing loses most of its value.
- Weak detection and lockout strategy: Stuffing and spraying differ. Both require monitoring, rate limits, and anomaly detection.
- Ignoring sessions: If an attacker logs in once, they may keep access through session hijacking even after a password change.
Safe best practices
- Use a password manager and unique passwords for every account.
- Enable strong authentication (see 2FA).
- After a breach, rotate passwords where reuse existed and end sessions on high-value accounts.
Related terms
Related guides
Credential stuffing is a math problem: attackers win when one password opens multiple doors. Unique passwords remove that leverage.