23andMe Lost 6.9 Million Records to a Credential Stuffing Attack

In October 2023, genetic testing company 23andMe confirmed that threat actors had compromised roughly 14,000 accounts using stolen credentials from other breaches. Because of the platform's social sharing features, that initial foothold gave attackers access to the personal data of approximately 6.9 million users. The attack method wasn't sophisticated malware. It wasn't a zero-day exploit. It was a credential stuffing attack — automated login attempts using username and password pairs already circulating on the dark web.

The fallout was staggering. 23andMe faced dozens of lawsuits, a congressional inquiry, and ultimately filed for bankruptcy protection in early 2025. All because a significant number of users reused passwords across multiple sites.

If you think your organization is immune to this, I'd encourage you to keep reading. In my experience, credential stuffing is one of the most underestimated threats in cybersecurity — and one of the most preventable.

What Is a Credential Stuffing Attack, Exactly?

A credential stuffing attack occurs when an attacker takes large lists of stolen usernames and passwords — typically harvested from previous data breaches — and uses automated tools to try those credentials against other websites and services. The attacker bets on one simple, reliable fact: people reuse passwords.

This isn't brute force. Brute force guesses random combinations. Credential stuffing uses real credentials that worked somewhere else. That's why the success rate, while low per attempt (typically 0.1% to 2%), scales enormously when you're testing millions of pairs per hour.

According to the 2024 Verizon Data Breach Investigations Report, stolen credentials were involved in over 77% of attacks on basic web applications. That number has held stubbornly high for years. The reason is simple: credential theft works, and credential reuse makes it even easier.

How Attackers Actually Execute It

Step 1: Acquire the Credential Lists

Billions of username-password pairs are available on dark web marketplaces and underground forums. Major breaches at companies like LinkedIn (2012, data resurfaced in 2016), Collection #1-5 (2019), and more recent incidents continuously feed this supply. Attackers can buy these lists for pocket change — or find them shared openly on paste sites and Telegram channels.

Step 2: Automate the Attacks

Tools like Sentry MBA, OpenBullet, and custom scripts let attackers test thousands of login attempts per minute. These tools rotate through proxy servers and residential IP addresses to evade basic rate limiting. Many can solve simple CAPTCHAs automatically. The barrier to entry is shockingly low — you don't need to be a skilled hacker to launch a credential stuffing attack.

Step 3: Monetize the Access

Once valid credentials are confirmed, the threat actor either sells the verified accounts, uses them to commit fraud, or pivots deeper into the target organization. For consumer accounts, this might mean draining loyalty points, making purchases, or stealing personal data. For enterprise accounts, it's often the first step toward ransomware deployment, wire fraud, or lateral movement through corporate networks.

The $4.88 Million Average That Should Keep You Up at Night

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million — the highest figure ever recorded. Breaches involving stolen or compromised credentials took the longest to identify and contain, averaging 292 days. Nearly ten months of an attacker living inside your systems.

For small and mid-sized businesses, a single successful credential stuffing attack can be existential. I've personally worked with organizations that lost six figures in direct costs before they even realized they'd been compromised. The indirect costs — customer trust, regulatory scrutiny, legal fees — lasted years longer.

Here's what actually drives credential stuffing success: your employees reuse their corporate email and password on personal sites. A 2023 study by SpyCloud found that 61% of data breach victims had reused credentials across multiple accounts. When one of those external services gets breached, your corporate perimeter is exposed — even if your own infrastructure was never directly attacked.

This is why security awareness training isn't optional. Your people need to understand, in concrete terms, why password reuse is dangerous and how their personal habits create organizational risk. I recommend starting with a comprehensive cybersecurity awareness training program that covers credential hygiene, social engineering tactics, and the mechanics of how breaches actually happen.

Awareness alone won't solve everything. But employees who understand the threat make better decisions — they use password managers, they report suspicious login alerts, and they stop treating "Spring2025!" as an acceptable password.

How to Defend Against Credential Stuffing Attacks

Deploy Multi-Factor Authentication Everywhere

Multi-factor authentication (MFA) is the single most effective control against credential stuffing. Even if an attacker has a valid username and password, they can't proceed without the second factor. Microsoft has stated that MFA blocks 99.9% of automated attacks on accounts.

But not all MFA is equal. SMS-based codes are vulnerable to SIM swapping. Push-based MFA can be defeated by fatigue attacks (the Uber breach in September 2022 proved that). Hardware security keys or FIDO2 passkeys are the gold standard. At minimum, use an authenticator app and configure number matching to resist prompt bombing.

Implement Rate Limiting and Bot Detection

Credential stuffing is an automated attack, so automated defenses help. Rate limiting login attempts per IP, per account, and per session raises the cost for attackers. Web application firewalls (WAFs) with bot detection capabilities can identify and block stuffing tools by their behavioral patterns — request timing, header anomalies, and mouse movement analysis.

CISA's guidance on credential security recommends organizations implement robust monitoring of authentication endpoints. If you see 50,000 failed login attempts in an hour, your monitoring should catch that. In practice, I've seen organizations where no one was watching.

Check Credentials Against Known Breach Data

NIST Special Publication 800-63B explicitly recommends that organizations check user passwords against lists of commonly compromised credentials. Services like Have I Been Pwned's API let you do this at registration and password change. If a user tries to set a password that's already appeared in a breach, block it.

This is a low-effort, high-impact control that far too few organizations implement.

Adopt a Zero Trust Architecture

Zero trust assumes every authentication request could be malicious, regardless of whether it comes from inside or outside your network. In the context of credential stuffing, zero trust means continuous verification — not just at login, but throughout the session. Device posture checks, behavioral analytics, and contextual access policies all reduce the blast radius of a compromised credential.

Run Phishing Simulations Regularly

Credential stuffing and phishing are closely related threats. Phishing campaigns harvest the fresh credentials that fuel future stuffing attacks. Testing your employees with realistic phishing awareness training and simulations keeps the threat top-of-mind and identifies which teams need additional coaching. I've seen organizations reduce phishing click rates by 70% within six months of consistent simulation programs.

Real Attacks, Real Consequences

Disney+ Launch Day (2019)

Within hours of Disney+ launching in November 2019, thousands of accounts were compromised and listed for sale on dark web forums. Disney confirmed the issue wasn't a breach of their systems — the credentials came from other breaches. Users who reused passwords were immediately victimized. The reputational damage to a major brand launch was significant.

Dunkin' Donuts (2018-2019)

Dunkin' suffered two credential stuffing attacks within three months. The New York Attorney General's office investigated and reached a $650,000 settlement in 2020, finding that Dunkin' failed to take adequate protective measures after the first attack. The FTC and state attorneys general are increasingly holding companies accountable for failing to defend against predictable attack methods like credential stuffing.

The North Face (2022)

Outdoor retailer The North Face disclosed a credential stuffing attack in August 2022 that compromised approximately 194,905 accounts on its website. Attackers accessed names, purchase histories, billing and shipping addresses, and loyalty points. The parent company, VF Corporation, later suffered a separate ransomware attack in late 2023 — a reminder that threats compound.

Can You Completely Stop Credential Stuffing?

No. You can't control whether your users' credentials appear in someone else's breach. You can't eliminate password reuse through policy alone. But you can make credential stuffing attacks dramatically less likely to succeed and minimize the damage when they do.

The combination of MFA, breach-aware password policies, bot detection, zero trust principles, and continuous security awareness training creates layered defense. No single control is sufficient. Together, they make your organization a hard target — and attackers consistently move on to easier ones.

What Should You Do This Week?

If you take away three actions from this post, make them these:

  • Audit your MFA coverage. Identify every externally facing application and verify that MFA is enforced. Not available — enforced. Pay special attention to legacy apps and admin portals.
  • Check your credentials against breach data. Use the NIST 800-63B guidelines as your reference. Integrate breach-data screening into your identity platform.
  • Start a security awareness program today. If your employees don't understand why credential reuse is dangerous, nothing else matters. Enroll your team in structured cybersecurity awareness training and pair it with regular phishing simulations to build lasting habits.

Credential stuffing attacks aren't going away. The supply of stolen credentials grows after every breach, and attackers' automation tools get better every year. But the organizations that take password security seriously — that treat credential hygiene as an organizational priority, not a user problem — are the ones that stay out of the headlines.

Your move.