Credential Stuffing.

Credential stuffing leverages enormous combolists of credentials stolen in past breaches. The term was coined in 2011 by Sumit Agarwal, and OWASP catalogues it as automated threat OAT-008. Attackers feed combolists through automation frameworks (Sentry MBA, OpenBullet, Snipr, custom scripts) that rotate residential proxies, solve CAPTCHAs, and pace requests to evade rate limits. Because many users reuse passwords across sites, even a low success rate (often 0.1–2 %) produces large volumes of takeovers, which are then monetised through fraud, gift-card cashout, or onward credential resale.

The technique is firmly distinct from brute force: it does not guess passwords, it replays ones already known to be valid somewhere. The 2023 23andMe breach is a textbook case — attackers used reused credentials to log into roughly 14,000 accounts, then pivoted through the "DNA Relatives" feature to scrape data on nearly 7 million people, none of whose accounts were directly compromised. Similar campaigns have hit streaming, retail, and financial platforms for years.

Defences include MFA (ideally phishing-resistant FIDO2/passkeys), breached-password screening against corpora like Have I Been Pwned, device fingerprinting, bot management, impossible-travel and velocity anomaly detection, and progressive throttling or step-up challenges on suspicious logins.

flowchart LR
  A[Breach combolists<br/>user:pass pairs] --> B[Automation tool<br/>OpenBullet / Sentry MBA]
  B --> C[Rotate residential proxies<br/>+ solve CAPTCHAs]
  C --> D[Replay logins across<br/>many target sites]
  D --> E{Password reused?}
  E -->|No| F[Login fails]
  E -->|Yes| G[Account takeover]
  G --> H[Fraud / resale / data theft]