Credential Stuffing

What Is Credential Stuffing?

Credential Stuffing definition and explanation.

Credential-related threats and attacks are among attackers' most widely used vectors. Credential stuffing is one technique: stolen or otherwise compromised account credentials—typically in a database or list format—are used to gain unauthorized access to resources using highly scalable automation processes.
Credential stuffing is a type of cyberattack where stolen account credentials typically consist of lists of usernames and email addresses. The corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to brute force or guess any passwords - the attacker simply automates the logins for a large number (thousands to millions) of previously discovered credential pairs using standard web automation tools like Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks such as Sentry MBA, SNIPR, STORM, Blackbullet, and Openbullet. Credential stuffing attacks are possible because many users reuse the same username/password combination across multiple sites, with one survey reporting that 81% of users have reused a password across two or more sites and 25% of users use the same password across a majority of their accounts

—Wikipedia

Over 80% of breaches within hacking involve brute force or the use of lost or stolen credentials.

—Verizon 2020 Data Breach Investigations Report

43% of all logins seen by Akamai were attempts to log in to an account using password guessing or account details gathered from elsewhere on the Internet.

—Akamai State of the Internet Q4 2017

Between January 1, 2018, and December 31, 2019, Akamai recorded more than 88 billion credential stuffing attacks across all industries. When we look specifically at the media sector, which includes streaming media, television networks, cable networks, broadcasting, and even digital publishing and advertising, that number is about 17 billion, or about 20% of all attacks.

—Akamai blog

Glossary
Read our related blog posts
Anatomy of Credential Stuffing Attacks
March 16, 2021
Anatomy of Credential Stuffing Attacks

Learn how credential stuffing exploits weak passwords to breach accounts and how to mitigate it.

Credential Stuffing in the Media Industry aka. "date-night offers"
July 19, 2020
Credential Stuffing in the Media Industry aka. "date-night offers"

Credential stuffing attacks in media expose vulnerabilities through reused credentials and leaks.

Anatomy of Account Takeover Attacks
April 26, 2021
Anatomy of Account Takeover Attacks

Understand how account takeover attacks work and strategies to prevent them.

About Scirge
Shedding Light on Shadow IT

Scirge gives organizations the tools to discover and manage Shadow IT by tracking where and how corporate credentials are used across SaaS, supply-chain, GenAI, and other web applications. It helps discover Shadow SaaS and Shadow AI, and identify risks like password reuse, shared accounts, and phishing, while providing real-time awareness messages, automated workflows, and actionable insights.

Trusted by
Ready to discover
Shadow IT?
Shadow AI?
any SaaS app?
any GenAI app?
any supply chain access?
corporate password reuse?
shared accounts?
successful phishing?
SSO accounts?
weak online passwords?
overlapping services?
Contact us
Shadow IT and SaaS Discovery
Cloud and Corporate Identity Protecion
Compliance and Governance
Company
Product
HomeFeaturesPricing
Shadow IT and SaaS Discovery
Shadow IT Visibility And Monitoring
Cloud Application and Identity Inventories
Agentless Historical Shadow IT Audit
Shadow IT and SaaS Security
Password Protection for Corporate and Cloud Identities
Employee Education And Engagement
Phishing Detecion and Awareness
Identity Governance
Compliance with Shadow IT and Shadow AI Monitoring
Asset Management and Supply Chain Control
Cloud Identity Lifecycle Management
Resources
BlogGlossary
Company
AboutContactPrivacy Policy
Shedding Light on Shadow IT
© Scirge, 2025
Close Cookie Popup
Cookie settings
By clicking "Accept all cookies", you agree to storing cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts as outlined in our privacy policy.
Accept all cookiesCookie settings
Close Cookie Preference Manager
Cookie settings
By clicking 'Accept all cookies', you agree to storing cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts as outlined in our privacy policy.
Strictly necessary (always active)
Cookies required to enable basic website functionality.
Accept all cookiesSave settings