A Monday Morning at 2:47 AM
The authentication logs for a mid-sized financial services firm showed 340,000 login attempts across a six-hour window. The attempts came from 28,000 distinct IP addresses, each submitting two to four requests before moving on. The username-password pairs were sourced from a breach dataset sold on a Russian-language forum three weeks earlier. By the time the security team reviewed the alerts the following morning, 1,200 accounts had been successfully accessed. Eleven of those accounts belonged to customers with balances over $50,000.
This is credential stuffing in its current form: patient, distributed, and calibrated specifically to avoid the detection thresholds most teams set years ago and have not revisited since.
What Credential Stuffing Actually Looks Like in 2025 and 2026
Credential stuffing differs from brute force attacks in one fundamental way. Attackers are not guessing passwords. They are testing known username-password pairs harvested from previous breaches, phishing campaigns, and infostealer logs. The success rate per attempt is low, typically between 0.1% and 2%, but the volume of available credentials makes even low success rates operationally profitable.
The threat has grown more sophisticated in direct proportion to defensive improvements. Early credential stuffing campaigns used single IP addresses and predictable user-agent strings. Modern campaigns use residential proxy networks, CAPTCHA-solving services, and increasingly, LLM-assisted tooling that can adapt request behavior in real time to mimic legitimate browsing patterns. The emergence of automated attack frameworks described in research around JadePuffer's LLM-driven ransomware attack illustrates how artificial intelligence is accelerating attacker capabilities across all categories of automated abuse, including authentication attacks.
The 0ktapus campaign, which compromised over 130 organizations, demonstrated how credential stuffing and phishing operate in concert. Stolen credentials from one breach feed the next wave of stuffing attempts, creating a compounding problem across industries. When one organization's breach feeds the next attack cycle, the velocity of exposure accelerates faster than most credential rotation policies can respond.
Building a Detection Architecture That Matches Current Attack Patterns
Signal Collection Beyond Failed Logins
The most common mistake in credential stuffing detection is treating failed login counts as the primary signal. Attackers who have refined their approach already know your lockout thresholds. They design their campaigns to stay below those thresholds per account while scaling horizontally across thousands of accounts simultaneously.
Effective detection requires correlating multiple signal types simultaneously:
- Successful authentication velocity: A sudden spike in successful logins from new device fingerprints or unfamiliar ASNs warrants immediate investigation, even when no lockouts have triggered.
- Geographic discontinuity: A user authenticating from Chicago at 9:00 AM and then again from a Bucharest IP address at 9:15 AM is a high-confidence anomaly regardless of whether the password matched on the first try.
- User-agent and TLS fingerprint clustering: Stuffing tools often produce consistent TLS fingerprints (JA3 or JA4) across thousands of requests even when rotating IP addresses. Collecting and correlating these fingerprints at the application layer catches campaigns that successfully evade IP-based controls.
- Credential pair reuse signals: If the same password appears across authentication attempts for multiple different usernames within a short window, the source is almost certainly a stuffing tool working through a list.
- Session behavior post-authentication: Legitimate users who log in navigate in predictable patterns. Automated sessions often hit account information endpoints, payment methods, or personal data fields within seconds of authentication with no preceding browsing activity.
The Residential Proxy Problem
Residential proxies are the single most effective tool attackers use to defeat IP-based controls. These are IP addresses assigned to legitimate consumer ISP subscribers whose devices have been enrolled in a proxy network, often without the subscriber's knowledge. Requests from these IPs look indistinguishable from genuine user traffic at the IP reputation layer.
Detection at this layer requires moving beyond IP reputation scores. Useful signals include:
- ASN classification that distinguishes residential ISPs from commercial or hosting providers, combined with unusual authentication timing patterns for that ASN.
- Behavioral biometrics during the login form interaction, specifically keystroke timing, mouse movement patterns, and form field interaction sequences. Stuffing tools fill and submit forms in milliseconds. Humans do not.
- Device fingerprint consistency across sessions. A legitimate residential user accessing your application typically does so from a consistent device profile. A residential proxy IP cycling through stuffing attempts will show wildly inconsistent device fingerprints across requests.
Implementing Risk-Based Authentication Scoring
Static authentication policies, the kind that lock an account after five failed attempts or require a second factor only for users flagged by a simple IP blocklist, fail against modern credential stuffing for the reasons already described. A risk-based authentication model assigns a dynamic risk score to each authentication event based on a combination of signals evaluated in real time.
A practical implementation for an enterprise environment might score each login attempt across the following dimensions:
- IP reputation and classification: Hosting ASN, known proxy or VPN, Tor exit node, or clean residential. Each classification carries a different risk weight.
- Device fingerprint match: Does the fingerprint match a previously seen device for this account? First-seen devices carry higher risk scores.
- Geographic plausibility: Based on the account's historical access patterns, is this geographic location plausible? A user who has never authenticated from outside the United States accessing from Eastern Europe scores significantly higher risk.
- Credential pair exposure check: Has this specific password been seen in known breach datasets? Services like the Have I Been Pwned API or internal enrichment pipelines can flag compromised credentials at authentication time.
- Behavioral timing: How long did the user spend on the login page before submitting? How did they interact with form fields?
Scores above a low threshold prompt step-up authentication, such as an email verification link or TOTP code. Scores above a high threshold block the attempt and trigger an alert for analyst review. This approach avoids the false positive overhead of blanket blocking while ensuring that high-risk attempts face friction proportional to their risk.
Technical Controls That Reduce Attack Surface
WebAuthn and Phishing-Resistant MFA
The most effective single control against credential stuffing is eliminating the password as a sufficient authentication factor. WebAuthn-based authentication, which binds the credential to a specific origin and device, makes stuffed credentials fundamentally useless. Even if an attacker has the correct username and password for an account, a WebAuthn passkey or hardware security key cannot be replicated from a breach dataset.
Recent work on adding WebAuthn to browser-based environments, including RDP clients, demonstrates that the technology has matured beyond traditional web applications. Deploying WebAuthn for administrative access, high-privilege accounts, and any application handling sensitive data should be a near-term priority for security teams. For consumer-facing applications where hardware key adoption is impractical at scale, passkey enrollment over TOTP remains a meaningful improvement because passkeys are phishing-resistant and device-bound.
For environments where legacy authentication cannot be immediately replaced, enforcing TOTP or push notification MFA for all accounts eliminates the usefulness of stuffed credentials for attackers who lack access to the second factor.
CAPTCHA and Proof-of-Work Friction
CAPTCHA systems have a well-documented arms race problem. CAPTCHA-solving services process image challenges for fractions of a cent per solve, and LLM-assisted vision models can now solve many text and image CAPTCHAs without human intervention. That said, CAPTCHA remains a useful layer when deployed intelligently rather than universally.
Triggering CAPTCHA based on risk score rather than universally reduces user friction while maintaining coverage against automated attempts. A first-time login from a new device on a residential IP that has shown unusual timing patterns warrants a CAPTCHA challenge. A returning user on a known device from their typical location does not need one.
Invisible CAPTCHA implementations and proof-of-work challenges, which require the client to perform a computational task before the login request is accepted, add meaningful cost to high-volume attacks without visible friction for legitimate users. These approaches are particularly effective because they make the economics of credential stuffing less favorable. Attacking 10 million accounts at scale becomes computationally expensive when each request requires proof-of-work completion.
Rate Limiting With Distributed State
Rate limiting applied per IP address fails against distributed stuffing campaigns by design. Modern rate limiting for authentication endpoints needs to track state across multiple dimensions simultaneously, not just IP address.
A practical implementation uses a combination of:
- Per-account attempt rates, enforced globally across all originating IPs.
- Per-subnet attempt rates to catch distributed campaigns operating from a shared address block.
- Per-device-fingerprint rates to catch tools that cycle IP addresses but maintain a consistent client identity.
- Global authentication velocity monitoring to detect campaign-level patterns even when individual account or IP thresholds have not triggered.
Rate limiting state needs to be stored in a distributed cache accessible to all authentication service instances, not in local application memory. Teams running authentication services behind load balancers without a shared rate limiting backend are effectively applying rate limits per server instance, which means a campaign that distributes requests across backend servers can exceed safe thresholds on aggregate while staying below limits on each individual instance.
Operationalizing Threat Intelligence for Credential Stuffing Defense
Breach Data Monitoring and Proactive Credential Invalidation
Credential stuffing depends on credentials that remain valid long after the breach that exposed them. Reducing the window during which stuffed credentials succeed requires monitoring breach disclosure channels and invalidating potentially exposed credentials proactively.
This means establishing subscriptions to breach notification services, monitoring threat intelligence feeds for dataset mentions of your organization's domains, and building automated workflows that force password resets for accounts whose credentials appear in newly disclosed breach datasets. The tooling for this exists and is accessible. The gap is usually a process one: security teams receive breach intelligence but lack a direct pipeline into the identity management system to act on it at speed.
Intelligence from campaigns like the 0ktapus operations, which targeted identity providers and SSO systems specifically to harvest credentials usable across multiple downstream applications, reinforces the value of monitoring credential exposure across your entire identity surface, not just your primary authentication system.
Sharing Indicators Across Trust Groups
Credential stuffing campaigns frequently target multiple organizations in the same industry vertical within the same campaign cycle. IP addresses, user-agent strings, and TLS fingerprints observed during an active attack on your environment are likely being used against your industry peers simultaneously or shortly afterward.
Participating in ISACs or industry-specific threat sharing groups and contributing observed attack indicators creates collective defense value that disproportionately benefits all members. An organization that observes and shares a residential proxy ASN cluster used in an active stuffing campaign gives peer organizations the opportunity to apply preemptive friction before the campaign reaches them. The insights coming out of compromise assessment projects across industries consistently highlight the same theme: threats that were visible in one organization's logs appeared in peer environments days or weeks earlier, but the indicators were not shared in time to be useful.
Incident Response When Stuffing Succeeds
Scoping the Compromise
When a credential stuffing campaign results in successful account access, the first priority is accurate scoping. How many accounts were accessed? What actions did the attacker take within those sessions? What data was accessed or exfiltrated? What downstream systems might be accessible from the compromised accounts?
Authentication logs alone are insufficient for scoping. You need application-layer session logs that capture what the authenticated session actually did. If your application logs authentication events but not post-authentication activity, scoping a stuffing incident becomes an exercise in guesswork, which creates both regulatory and liability exposure.
Preserve full session logs for the attack window before beginning account remediation. Remediating accounts first can destroy forensic evidence needed to determine what actions were taken under the compromised sessions.
Immediate Containment Actions
Once the scope is established, the containment sequence for a credential stuffing incident typically follows this order:
- Force password resets on all accounts where successful authentication was recorded from anomalous sources during the attack window.
- Invalidate all active sessions for affected accounts to terminate any ongoing attacker access.
- Apply temporary friction increases, such as mandatory MFA for all logins or step-up authentication for all new device fingerprints, to disrupt any ongoing campaign activity while investigation continues.
- Extract and share IP address, ASN, TLS fingerprint, and user-agent indicators from the attack traffic with your threat intelligence team for enrichment and potential sharing with peer organizations.
- Notify affected account holders with clear guidance on what occurred and what actions they should take, including checking other accounts where they may have reused the same credentials.
Measuring the Effectiveness of Your Controls Over Time
Credential stuffing defenses that are deployed but never measured against actual attack patterns drift out of alignment with the threat faster than most teams recognize. The attack surface evolves continuously. Proxy networks expand. New tooling circumvents existing CAPTCHA implementations. Rate limiting thresholds that were appropriate for attack volumes two years ago may be miscalibrated for current campaign scales.
Establish quarterly reviews of your authentication security posture that include: analysis of authentication failure patterns to identify new campaign signatures, red team exercises that simulate credential stuffing using current commercial tooling, and measurement of false positive rates on your risk-based authentication scoring to ensure legitimate users are not experiencing unacceptable friction.
Track the metric that actually matters for stuffing defense: the ratio of successful logins from first-seen device fingerprints that subsequently exhibit high-risk post-authentication behavior. A rising trend in this metric indicates that your detection and friction controls are not keeping pace with attacker sophistication, regardless of what your blocked request counts look like.
The Bigger Picture
Credential stuffing succeeds because the economics favor attackers. Breach datasets are cheap, proxy infrastructure is accessible, and the potential return from a single successful account takeover in financial services, healthcare, or e-commerce far exceeds the cost of the campaign. The defenders who consistently contain these attacks are not the ones with the most aggressive blocking rules. They are the ones who have made the attacker's economics unfavorable through layered friction, fast detection, and controls that cannot be defeated by simply rotating IP addresses.
Phishing-resistant authentication, risk-based step-up challenges, distributed rate limiting, behavioral analysis, and proactive credential invalidation each reduce the success rate of stuffing campaigns. Applied together, they push the attacker's cost of achieving meaningful success high enough that campaigns move to easier targets. That outcome is achievable with existing technology. The gap, as it almost always is, is in consistent implementation and ongoing measurement.