The Problem Hiding in Plain Sight on Your Login Endpoints
Most organizations discover credential stuffing campaigns the same way: a spike in failed logins triggers an alert, the team investigates, blocks a handful of IPs, and closes the ticket. Three days later, the same campaign resumes from a fresh rotation of residential proxies, and the detection clock resets to zero. The response felt complete. The attack was not.
Credential stuffing has matured from a blunt-force tactic into a precision operation. Attackers today source breach databases strategically, validate credentials quietly against low-friction endpoints, and then monetize access through account takeover, fraud, or lateral movement into enterprise environments. The assumption that MFA and IP blocking are sufficient controls is the exact belief that modern stuffing infrastructure is designed to exploit.
This article is written for the security engineers and IT administrators who manage authentication infrastructure, review access logs, and own the policies around account protection. The goal is to move past the surface-level advice and address the mechanics of what modern stuffing operations actually look like, and what defense in depth genuinely requires.
What the Attack Infrastructure Actually Looks Like in 2025 and 2026
Recent threat intelligence reporting has made one thing clear: the tooling and infrastructure behind credential stuffing have converged with broader adversary tradecraft. The 0ktapus campaign, which compromised over 130 organizations, demonstrated how stolen credentials harvested through phishing feed directly into automated stuffing operations at scale. Credentials do not sit idle after a breach. They enter a pipeline.
That pipeline typically has several distinct stages. First, threat actors acquire or compile credential lists from fresh breach data, dark web markets, and Telegram channels. Second, they validate credentials at scale using tools like SentryMBA, STORM, or purpose-built scripts targeting specific application APIs. Third, validated accounts are sorted by value, with access to financial services, email platforms, and enterprise SaaS applications commanding the highest prices.
The infrastructure supporting these operations increasingly relies on residential proxy networks, which route malicious traffic through legitimate consumer IP addresses. This defeats IP reputation scoring and most traditional blocklist-based defenses. Attackers using these proxies generate login attempts that are practically indistinguishable from legitimate user traffic based on IP reputation alone.
The emergence of LLM-assisted attack development, highlighted in reporting on JadePuffer and concerns around Chinese LLMs broadening the attacker-defender capability gap, has also begun influencing credential attack tooling. Automation that previously required technical expertise is increasingly accessible to lower-skilled threat actors, which expands the volume of campaigns organizations must defend against.
Why MFA Alone Does Not Close the Exposure
Multifactor authentication remains one of the most effective controls against credential stuffing, but organizations frequently implement it in ways that leave meaningful gaps. The gaps matter because attackers adapt to partial MFA deployments almost immediately.
Legacy authentication protocols are the most commonly exploited gap. Applications that still support basic authentication, or services that expose endpoints accepting username-password pairs without triggering MFA challenges, become the path of least resistance. Exchange Web Services, IMAP, POP3, and certain legacy API authentication flows all fall into this category. Attackers specifically probe for these endpoints because disabling them in the identity provider does not automatically disable them at the application layer.
SMS-based MFA presents a second gap. SIM-swapping attacks, SS7 interception, and real-time phishing proxies all allow attackers to intercept one-time codes. The 0ktapus campaign specifically deployed adversary-in-the-middle phishing kits that captured MFA tokens in real time and replayed them before they expired. Organizations relying on SMS OTP for high-value accounts should treat that factor as insufficient for privileged access.
The strongest available control is phishing-resistant MFA, specifically FIDO2/WebAuthn. The publication of work on adding WebAuthn to browser-based RDP clients is a useful signal for security teams: the technical community is actively extending phishing-resistant authentication to more contexts. Where WebAuthn is not yet deployable, TOTP with short-lived tokens paired with behavioral analytics provides a meaningful improvement over SMS.
Today: Immediate Controls You Can Implement This Week
Audit Your Authentication Attack Surface
Before deploying additional controls, map every endpoint in your environment that accepts username-password pairs. This includes primary login flows, password reset endpoints, account recovery mechanisms, mobile API authentication endpoints, and any OAuth or SAML service provider callbacks that fall back to local credentials. Each of these is a potential stuffing target, and they frequently have inconsistent rate limiting, logging, and alerting applied to them.
Pay particular attention to non-browser authentication flows. Legacy protocol endpoints are frequently excluded from conditional access policies that apply to browser-based logins. Disabling basic authentication at the identity provider level while leaving legacy application endpoints active creates a false sense of protection.
Implement Behavioral Rate Limiting on Authentication Endpoints
Rate limiting based on IP address is a necessary baseline, but it is not sufficient against distributed stuffing operations. Effective behavioral rate limiting tracks velocity across multiple dimensions simultaneously: requests per user account per time window, requests originating from the same device fingerprint regardless of IP, and the ratio of failed to successful authentications across a session cohort.
Specifically, set per-account lockout thresholds that are low enough to catch credential validation but high enough to avoid locking out legitimate users due to password manager errors. A threshold of five failed attempts per account within a ten-minute window, with progressive delays rather than hard lockouts, balances security against support burden. Hard lockouts create denial-of-service conditions that attackers can weaponize against accounts they already know are active.
Deploy a Web Application Firewall Rule Set for Authentication Endpoints
WAF rules specifically targeting authentication abuse patterns provide a layer of detection that operates independently of your application logic. Effective rules for stuffing defense include anomaly scoring based on User-Agent consistency, HTTP header ordering that deviates from known browser profiles, and high-volume requests to authentication endpoints from single ASNs. The last point is worth emphasizing: while residential proxy networks distribute traffic across many IPs, they often cluster within specific ASN ranges depending on the provider. Monitoring ASN-level authentication volume provides signal that IP-level analysis misses.
This Week: Strengthening Detection and Response Capability
Build Authentication Telemetry That Actually Surfaces Patterns
Authentication logs are the primary evidence source for credential stuffing, and most organizations collect them without analyzing them at the resolution required to catch low-and-slow attacks. Effective authentication telemetry requires correlating across at least five data points per authentication event: timestamp, source IP, user agent string, target account, and outcome. Adding device fingerprint, geographic location, and ASN turns this into a dataset capable of surfacing statistical anomalies.
The pattern to look for in stuffing attacks is high volume of attempts across many distinct accounts from a coherent infrastructure set, with a low but nonzero success rate. A 0.1 percent success rate across 50,000 attempts still yields 50 compromised accounts. That ratio frequently falls below alert thresholds tuned to catch brute-force attacks on individual accounts.
Implement a SIEM query or detection rule that surfaces cohorts of accounts receiving failed authentication attempts within a shared time window from sources sharing ASN, user agent, or request pattern characteristics. Run this query on a rolling 15-minute basis against your authentication logs and alert when the cohort size exceeds a baseline derived from normal traffic patterns.
Integrate Leaked Credential Monitoring Into Account Protection
Services like Have I Been Pwned, SpyCloud, and similar commercial threat intelligence platforms continuously index breach data and can alert you when credentials associated with your user base appear in new dumps. Integrating these feeds into your identity management workflow allows you to proactively force password resets for at-risk accounts before attackers attempt to use those credentials.
The integration approach matters. Batch comparisons run weekly are too slow: credential stuffing campaigns often launch within 48 hours of a breach database being published. Continuous monitoring with near-real-time alerting, combined with automated enforcement of password reset requirements, substantially reduces the window of exposure.
Evaluate Your Account Recovery Flow for Abuse Potential
Account recovery endpoints are systematically underprotected relative to primary login flows. Attackers who find that the login endpoint is adequately defended frequently pivot to password reset flows, which often have weaker rate limiting, rely on SMS OTP, and can be abused to lock legitimate users out of their accounts.
Audit your account recovery flow for the following: the number of reset attempts allowed per account per hour, whether the reset link delivery method can be intercepted, whether the reset flow validates the requesting device against account history, and whether successful resets generate real-time alerts to the account holder. Each of these is a point of exposure that credential stuffing operations actively probe.
This Quarter: Structural Changes That Reduce Long-Term Exposure
Deploy Phishing-Resistant Authentication for High-Value Accounts
Prioritize FIDO2/WebAuthn deployment for accounts with elevated access: administrators, executives, finance personnel, and anyone with access to sensitive data or production systems. Browser-based WebAuthn is now broadly supported across major platforms, and hardware security key adoption for privileged accounts is operationally feasible for most organizations.
For endpoints and use cases where hardware keys are impractical, passkey implementations stored in platform authenticators provide phishing resistance without requiring additional hardware. The key property of FIDO2 authentication is that the credential is cryptographically bound to the origin, which means that even if an attacker intercepts a login session, they cannot replay the authentication factor against a different endpoint or at a different time.
Implement a Continuous Authentication Signal
Point-in-time authentication tells you who logged in, not whether the session that followed belongs to that person. Credential stuffing that achieves account access leads to session activity that frequently deviates from the legitimate account holder's behavioral baseline. Continuous authentication signals that monitor session behavior, including navigation patterns, typing cadence, mouse movement characteristics, and request sequencing, can identify account takeover after successful authentication.
This is particularly relevant for SaaS applications where session tokens have long validity periods. An attacker who stuffs credentials and establishes a session at 2 AM has until token expiry to operate undetected unless behavioral analytics are generating signals during the session itself.
Establish a Credential Stuffing Incident Response Playbook
Reporting from compromise assessment projects, including findings from teams responding to enterprise breaches, consistently identifies response gaps as a major factor in how badly credential stuffing incidents compound. By the time a campaign is confirmed, attackers have often already validated a full credential list, established persistent access on successful accounts, and exfiltrated high-value data.
A specific credential stuffing playbook should define: the detection threshold that triggers investigation, the initial scoping steps to determine how many accounts were successfully accessed, the process for forcing session termination and password resets on confirmed compromised accounts, the timeline for notifying affected users, and the post-incident review process for tuning detection thresholds. Running a tabletop exercise against this playbook before an incident occurs is the difference between a coordinated response and an improvised one.
The Role of Threat Intelligence in Proactive Defense
Credential stuffing operations leave infrastructure footprints that threat intelligence can surface before attacks reach your environment. Threat actors running large-scale stuffing campaigns reuse proxy pool configurations, tooling signatures in HTTP request headers, and timing patterns across multiple targets. Organizations that share indicators of compromise through platforms like the Financial Services ISAC, the Health-ISAC, or sector-specific intelligence sharing groups frequently receive early warning of campaigns that have hit peer organizations before those same campaigns pivot to them.
The intelligence sharing dynamic highlighted in recent reporting on persistent threat groups, including the Gamaredon group's continued operational evolution and the exposure of modular C2 frameworks used by Iranian-linked actors, reinforces a broader principle: attacker infrastructure reuse creates detection opportunities. The same discipline that allows defenders to track nation-state actors across campaigns applies to criminal credential stuffing operations. Tooling signatures, ASN preferences, and timing characteristics all carry investigative value.
For organizations without dedicated threat intelligence capacity, subscribing to a commercial threat intelligence feed that includes credential exposure monitoring, dark web alerting, and active campaign tracking provides meaningful coverage with manageable operational overhead.
A Word on Passwordless Futures and Present-Day Gaps
The trajectory of authentication security points toward passwordless architectures, and for good reason. Credentials that do not exist cannot be stuffed. Organizations making roadmap decisions should treat passwordless authentication as a strategic objective rather than a distant aspiration. Passkey support in major identity providers and browsers has reached a level of maturity that makes pilot deployment feasible for consumer-facing applications, not just internal enterprise tools.
The gap between where organizations are today and a fully passwordless posture is real, and it requires defending with the layered controls described throughout this article. The mistake is treating the eventual goal as a reason to defer present-day hardening. Stuffing campaigns are active right now, sourcing credentials from last month's breaches and hitting authentication endpoints today. The organizations that come through those campaigns intact are the ones that applied practical controls at each layer of their authentication stack, not the ones waiting for a single transformative solution.
Key Takeaways for Security Teams
- Audit every authentication endpoint in your environment, including legacy protocol flows that bypass MFA policies, before adding new controls.
- Rate limiting based on per-account velocity and behavioral cohort analysis catches distributed stuffing that IP-based controls miss.
- Integrate continuous leaked credential monitoring with automated enforcement rather than running batch checks on a weekly schedule.
- Deploy FIDO2/WebAuthn for privileged accounts as a near-term priority, not a long-term roadmap item.
- Build authentication telemetry that surfaces low success-rate campaigns across large account cohorts, since those fall below thresholds tuned for single-account brute force.
- Establish and exercise a credential stuffing incident response playbook before the campaign arrives, because response gaps compound faster than most teams anticipate.