23 Billion Stolen Credentials Are Circulating Right Now

In 2020, Digital Shadows found more than 15 billion stolen credentials for sale on dark web markets — and that number has only climbed since. Every single one of those username-password pairs is ammunition for a credential stuffing attack. This isn't theoretical. It's the most efficient, scalable, and automated method threat actors use to break into accounts at massive scale — and your organization is almost certainly in the crosshairs.

A credential stuffing attack exploits one simple, devastating human habit: password reuse. Attackers take credentials stolen from one breach and systematically try them against hundreds of other services. If your employees use the same password for their personal email and your company's VPN, a breach at a completely unrelated platform puts your entire network at risk.

I've seen this play out firsthand. A mid-sized logistics company I consulted for in early 2021 discovered that 340 employee accounts on their cloud platform had been compromised — not through phishing, not through malware, but because a credential dump from a years-old LinkedIn breach still contained active passwords. The attackers logged in like they owned the place. No alarms. No brute force. Just valid credentials.

How a Credential Stuffing Attack Actually Works

Let's break down the mechanics. A credential stuffing attack isn't a brute force attack — it's far more surgical. Here's the sequence:

  • Step 1: Acquire credential dumps. Attackers buy or download massive lists of email/password combinations from previous data breaches. Collections like "Collection #1" (which surfaced in January 2019 with 773 million records) provide the raw material.
  • Step 2: Automate login attempts. Using tools like Sentry MBA, OpenBullet, or custom scripts, attackers configure bots to try stolen credentials against target login pages — banks, email providers, SaaS platforms, retail sites.
  • Step 3: Rotate proxies and evade detection. Sophisticated attackers route traffic through residential proxies and botnets to avoid IP-based rate limiting. Each login attempt looks like it's coming from a different normal user.
  • Step 4: Harvest successful logins. Hit rates are typically low — often 0.1% to 2% — but at scale, that's thousands of compromised accounts from a single campaign.
  • Step 5: Monetize access. Attackers sell verified account credentials at a premium, drain stored payment methods, steal personal data, or pivot deeper into corporate networks.

The 2021 Verizon Data Breach Investigations Report found that credentials remain the most common data type compromised in breaches, appearing in 61% of incidents. That statistic should alarm every security leader reading this. The Verizon DBIR has consistently confirmed that credential theft is the top attack vector year after year.

The $4.88M Lesson Most Organizations Learn Too Late

According to IBM's 2021 Cost of a Data Breach report, the average cost of a data breach reached $4.24 million — the highest in 17 years. Compromised credentials were the most common initial attack vector, responsible for 20% of breaches, and those breaches took an average of 250 days to identify.

Let me put that in context. An attacker logs in with stolen credentials. They sit inside your environment for over eight months before anyone notices. During that time, they're exfiltrating data, escalating privileges, and mapping your network.

In my experience, organizations that suffer credential stuffing attacks rarely realize the breach started with something so mundane. They look for sophisticated exploits, zero-days, advanced persistent threats. Meanwhile, the attacker just typed in a password that an employee also used on a gaming forum in 2017.

What Is a Credential Stuffing Attack vs. Brute Force?

This is a question I get constantly, so let me clarify it directly.

A brute force attack tries random or sequential password combinations against a single account. It's noisy, slow, and easily blocked by account lockouts.

A credential stuffing attack uses known username-password pairs from real breaches and tries them against different services. It's quiet, targeted, and often bypasses lockout policies because each account only gets one or two attempts.

That distinction matters enormously for your defense strategy. Traditional lockout policies won't stop credential stuffing. The attacker isn't guessing — they already have the password. They're just checking if it works here too.

Real-World Credential Stuffing Incidents That Made Headlines

Dunkin' Donuts (2015 and 2018)

Dunkin' suffered two separate credential stuffing attacks that compromised tens of thousands of DD Perks loyalty accounts. The New York Attorney General's investigation found that Dunkin' failed to notify affected customers promptly. In September 2020, Dunkin' agreed to pay $650,000 in penalties. The attackers didn't hack Dunkin's systems — they used credentials stolen elsewhere.

Spotify (2020)

Researchers at vpnMentor discovered an unsecured Elasticsearch database containing 380 million records being used to stage credential stuffing attacks against Spotify. The platform ultimately forced password resets for roughly 350,000 affected accounts. Again, the vulnerability wasn't in Spotify's infrastructure — it was in users reusing passwords.

The State of New York (2021)

In early 2021, the New York Attorney General's office announced an investigation revealing that credential stuffing attacks had compromised approximately 1.1 million customer accounts across 17 well-known online retailers, restaurant chains, and food delivery services. The AG published specific guidance for businesses to defend against these attacks.

Why Security Awareness Training Is Your First Line of Defense

Technology controls matter — I'll get to those — but they can't fix the root cause. The root cause is human behavior. People reuse passwords. People choose weak passwords. People don't enable multi-factor authentication unless you make them.

This is where real, practical cybersecurity awareness training changes the equation. When your employees understand that their Netflix password is a direct threat to your corporate infrastructure, behavior shifts. I've measured it. Organizations that run ongoing security awareness programs see measurably lower rates of password reuse within six months.

Training shouldn't be a once-a-year compliance checkbox. It needs to be continuous, scenario-based, and tied to real threats your people actually face — like credential stuffing, social engineering, and phishing.

Combine Training with Phishing Simulations

Credential stuffing doesn't happen in isolation. Attackers also phish your employees to harvest fresh credentials directly. A comprehensive approach pairs password security education with hands-on phishing awareness training for organizations that tests employees with realistic phishing simulations.

When someone fails a phishing simulation, that's not a punishment — it's a teaching moment. In my experience, organizations that run monthly simulations cut phishing click rates by 60% or more within a year. That directly reduces the number of credentials threat actors can harvest from your people.

7 Technical Controls That Actually Stop Credential Stuffing

Training changes behavior. Technology enforces the guardrails. Here are the specific controls I recommend to every organization I work with:

1. Enforce Multi-Factor Authentication Everywhere

MFA is the single most effective control against credential stuffing. Even if an attacker has the correct password, they can't authenticate without the second factor. CISA's MFA guidance is clear: enable it on every externally facing system, every email account, and every VPN.

2. Deploy a Web Application Firewall with Bot Detection

Modern WAFs can identify and block automated login attempts based on behavioral signals — mouse movement patterns, request timing, header anomalies. This catches the bot-driven traffic that powers credential stuffing campaigns.

3. Implement Rate Limiting and Adaptive Throttling

Limit login attempts per IP, per account, and per session. But go beyond simple thresholds — use adaptive systems that increase friction (CAPTCHAs, delays) as suspicious patterns emerge.

4. Check Passwords Against Known Breach Databases

NIST Special Publication 800-63B specifically recommends checking user passwords against lists of commonly breached passwords. The NIST identity guidelines represent the gold standard here. Services like Have I Been Pwned's Pwned Passwords API let you do this at scale without exposing the actual passwords.

5. Adopt a Zero Trust Architecture

Zero trust assumes every authentication attempt is potentially hostile. Even after a user logs in with valid credentials, continuous verification of device health, location, behavior patterns, and access scope limits what a compromised account can actually do.

6. Monitor for Credential Leaks Proactively

Use dark web monitoring services to detect when your organization's credentials appear in new breach dumps. Early detection lets you force password resets before attackers can weaponize the stolen data.

7. Eliminate Password Reuse Through Password Managers

Deploy an enterprise password manager and mandate its use. When every account has a unique, complex password generated and stored by a manager, credential stuffing becomes mathematically futile. The attacker's stolen password from one service simply won't match any other.

What the FBI Says About Credential Stuffing in 2021

The FBI's Internet Crime Complaint Center (IC3) has repeatedly warned about the surge in credential stuffing attacks targeting both enterprises and consumers. In a September 2020 Private Industry Notification, the FBI specifically highlighted attacks against the financial sector, noting that attackers were using aggregated credential dumps and specialized configurations for automated tools to bypass security controls.

The FBI IC3 recommends that organizations implement MFA, monitor for anomalous login activity, and educate employees about password hygiene — recommendations that align exactly with the controls I've outlined above.

Building a Credential Stuffing Defense Program: Where to Start

If you're reading this and realizing your organization hasn't specifically addressed credential stuffing, here's a prioritized action plan:

  • Week 1: Audit MFA deployment. Identify every externally accessible system and verify MFA is enforced. No exceptions for executives.
  • Week 2: Run a password audit. Check your Active Directory passwords against known breach lists. You'll be horrified by what you find.
  • Week 3: Launch security awareness training focused on password reuse and credential theft. Enroll your team in a comprehensive cybersecurity awareness training program that covers these threats specifically.
  • Week 4: Deploy or tune your WAF's bot detection capabilities. Review login attempt logs from the past 90 days for anomalous patterns you may have missed.
  • Month 2: Begin ongoing phishing simulation exercises to test and reinforce what employees learned. Measure, iterate, repeat.
  • Month 3: Implement dark web monitoring for your corporate domains. Establish an incident response playbook specifically for credential compromise events.

Your Employees Are the Vulnerability — and the Solution

Every credential stuffing attack starts with a human decision: someone chose to reuse a password. Every successful defense starts with a human decision too: someone chose to use a unique password and enable MFA.

The technology stack matters. The policies matter. But in my two decades in this field, I've never seen an organization solve credential-based attacks purely through technology. The organizations that win are the ones that invest in their people — training them to recognize threats, equipping them with the right tools, and building a culture where security is everyone's responsibility.

A credential stuffing attack is preventable. Not theoretically. Practically. The tools exist. The training exists. The question is whether your organization acts before the next breach dump includes your employees' credentials — or after.