23 Billion Stolen Credentials Are Already For Sale

In January 2023, cybersecurity researchers at Digital Shadows reported over 24.6 billion stolen username-and-password pairs circulating on dark web marketplaces. That's roughly three credentials for every person on Earth. And every single one of them is a loaded weapon waiting to be used in a credential stuffing attack.

If your organization relies on password-based authentication — and most still do — this post is for you. I'm going to break down exactly how credential stuffing works, why it's different from brute force, which real-world breaches it caused, and the specific steps you need to take today to shut it down.

What Is a Credential Stuffing Attack, Exactly?

A credential stuffing attack is an automated cyberattack where a threat actor takes stolen username-and-password pairs from one breach and systematically tries them against other websites and services. It works because people reuse passwords. That's it. That's the whole exploit.

The attacker doesn't need to crack anything. They don't guess. They already have valid credentials from a previous data breach — maybe from LinkedIn in 2012, or the Collection #1 dump in 2019 — and they just test them at scale against banking portals, SaaS platforms, email providers, and corporate VPNs.

Botnets and specialized tools like Sentry MBA or OpenBullet can test millions of credential pairs per hour, rotating through proxy networks to avoid detection. The success rate is typically low — somewhere between 0.1% and 2% — but when you're testing billions of credentials, even 0.1% is devastating.

Credential Stuffing vs. Brute Force: Know the Difference

I've seen security teams confuse these two constantly. A brute force attack tries every possible password combination against a single account. It's loud, slow, and easy to detect with basic rate limiting.

A credential stuffing attack is surgical by comparison. The attacker already has a real password that a real person used. They're just betting that person used the same password somewhere else. The login attempts look legitimate — correct formatting, realistic usernames, valid password complexity. Traditional security controls often miss them entirely.

That distinction matters because the defenses are different. Account lockout policies that stop brute force won't necessarily stop credential stuffing when attackers distribute attempts across thousands of IPs and target thousands of accounts simultaneously.

The Breaches That Prove This Isn't Theoretical

Norton LifeLock (2023)

In January 2023, Gen Digital disclosed that nearly 925,000 Norton LifeLock accounts had been targeted by a credential stuffing attack. Attackers used credentials purchased from dark web marketplaces and successfully accessed accounts that reused passwords. The irony — a password manager company breached because users didn't use unique passwords — tells you everything about the state of password hygiene.

Dunkin' Donuts (2019)

Dunkin' Brands was hit by two credential stuffing attacks in quick succession. Attackers accessed DD Perks rewards accounts using credentials stolen from other breaches. The New York Attorney General's office took action, and Dunkin' paid $650,000 in penalties. The attackers didn't exploit a vulnerability in Dunkin's code. They exploited human behavior.

The North Face (2022)

VF Corporation disclosed in August 2022 that approximately 194,905 The North Face customer accounts were compromised through credential stuffing. Attackers accessed names, purchase histories, billing addresses, and loyalty point balances. Again — no sophisticated zero-day required. Just recycled passwords.

Okta's Warning (2022)

Identity provider Okta reported in 2022 that credential stuffing attempts against its customers had surged, with some customers seeing billions of login attempts per month. When the identity layer itself becomes a battleground, you know the threat has matured.

Why Password Reuse Is the Real Vulnerability

Here's what actually happens. Your employee creates a personal account on a recipe website using their work email and the same password they use for your corporate VPN. That recipe site gets breached — maybe it was running unpatched WordPress with a SQL injection flaw. Nobody notices for six months. The credentials end up in a dump on a Telegram channel. A threat actor buys the dump for $20 and starts testing those credentials against enterprise targets.

Now your employee's valid corporate credentials are in an attacker's hands. No phishing email required. No social engineering. No malware. Just password reuse and a $20 investment.

The 2023 Verizon Data Breach Investigations Report found that stolen credentials were involved in roughly 49% of all breaches analyzed. That number has held stubbornly high for years, and credential stuffing is a major driver. You can read the full report at Verizon's DBIR page.

The $4.45M Question: What Does This Actually Cost?

IBM's 2022 Cost of a Data Breach Report pegged the global average breach cost at $4.35 million. For breaches involving stolen or compromised credentials specifically, the average detection time was 243 days — the longest of any attack vector. That extended dwell time means more data exfiltrated, more systems compromised, and higher remediation costs.

For small and mid-sized businesses, the math is even worse. You likely don't have a 24/7 SOC watching for anomalous login patterns. You probably don't have behavioral analytics flagging a login from Romania at 3 AM on an account that's never left Ohio. The credential stuffing attack succeeds, and nobody notices until the ransomware detonates or the wire fraud hits your bank account.

Seven Specific Steps to Defend Against Credential Stuffing

1. Enforce Multi-Factor Authentication Everywhere

Multi-factor authentication is the single most effective control against credential stuffing. Even if a threat actor has a valid password, they can't log in without the second factor. CISA has published extensive guidance on implementing MFA — start with their recommendations at cisa.gov/MFA.

Push-based MFA or FIDO2 hardware keys are strongest. SMS-based MFA is better than nothing but vulnerable to SIM swapping. Pick the strongest option your organization can operationally support and roll it out across every externally facing application.

2. Deploy Credential Screening

Check your users' passwords against known breach databases at the point of creation and on an ongoing basis. NIST Special Publication 800-63B specifically recommends this — passwords should be screened against lists of commonly used, expected, or compromised values. Services like Have I Been Pwned's API make this operationally feasible. You can review NIST's digital identity guidelines at pages.nist.gov/800-63-3.

3. Implement Rate Limiting and Bot Detection

Traditional rate limiting (e.g., lock out after five failed attempts) isn't enough when attacks are distributed across thousands of IPs. You need intelligent bot detection — CAPTCHA challenges, device fingerprinting, behavioral analysis on login flows. Look at the velocity of attempts across your entire user base, not just per account.

4. Adopt a Zero Trust Architecture

Zero trust assumes that any credential could be compromised at any time. Every access request gets verified based on user identity, device health, location, and behavior — not just a username and password. This approach dramatically limits what an attacker can do even if they successfully stuff a credential. It's a philosophy shift, but it's the direction every serious security program is moving.

5. Monitor for Credential Dumps

Dark web monitoring services can alert you when your organization's email domains appear in new credential dumps. This gives you a window to force password resets before the stuffing attacks begin. It's not foolproof, but it adds a valuable early warning layer.

6. Train Your Employees on Password Hygiene

Your people need to understand why reusing passwords across personal and corporate accounts creates real risk. This isn't about scaring them — it's about giving them the specific knowledge to protect themselves and your organization. Our cybersecurity awareness training program covers credential theft, social engineering, and the exact behaviors that lead to successful attacks.

7. Run Phishing Simulations Regularly

Credential stuffing often works hand-in-hand with phishing. An attacker might use a stuffed credential to access an email account, then launch internal phishing campaigns to harvest more credentials and escalate access. Regular phishing simulations train employees to recognize and report these attempts before they succeed. Our phishing awareness training for organizations provides realistic simulation exercises designed to build lasting recognition skills.

How Do You Know If You're Under Attack Right Now?

Look for these signals in your authentication logs:

  • Spike in failed login attempts across many accounts simultaneously
  • Successful logins from geographic locations inconsistent with your user base
  • Multiple accounts accessed from the same IP address or IP range in a short window
  • Login attempts using email addresses that don't exist in your directory (the attacker is spraying from a generic dump)
  • Unusual authentication times — 2 AM to 5 AM local time, weekends, holidays

If your SIEM or logging platform can't surface these patterns, that's a gap you need to close. You can't defend against what you can't see.

The Role of Security Awareness in Stopping Credential Theft

Technical controls are essential, but they're not sufficient. Every defense I've listed above can be undermined by a single employee who reuses their corporate password on a compromised third-party site, falls for a phishing email, or shares credentials with a colleague over Slack.

Security awareness training isn't a checkbox exercise — it's an operational control. When your employees understand how a credential stuffing attack actually works, they're far more likely to use unique passwords, enable MFA on personal accounts, and report suspicious login notifications instead of ignoring them.

I've watched organizations cut their credential-related incidents by 60% or more after implementing consistent, scenario-based training. The key word is consistent. A once-a-year compliance video doesn't change behavior. Monthly micro-training and regular phishing simulations do.

What Happens When You Don't Act

The FTC has made it clear that failure to protect against known credential threats can constitute unfair business practices. Their enforcement actions against companies like CafePress (2022) specifically cited inadequate security measures around credential protection. The message is unambiguous: regulators expect you to implement reasonable safeguards against credential-based attacks.

Beyond regulatory risk, there's the operational reality. A successful credential stuffing attack can lead to account takeover, fraudulent transactions, data exfiltration, lateral movement into deeper systems, and ultimately ransomware deployment. The attack chain that starts with a reused password can end with your entire environment encrypted and a seven-figure ransom demand on screen.

Your Next Move

Audit your MFA coverage today. Check which externally facing applications still accept password-only authentication. Screen your active directory passwords against known breach lists. Set up alerting for anomalous login patterns. And start building the human layer of defense — because the best firewall in the world can't stop a valid credential from logging in.

The credential stuffing attack isn't going away. The dumps keep growing, the tools keep improving, and the attackers keep profiting. Your job is to make sure the stolen credentials in those databases are worthless against your organization.