---
title: "What is a Credential Stuffing Attack and Why Is It Paramount to Protect Your Organization from Such Phishing Attacks | Phish Protection"
description: "Credential stuffing is a phishing attack in which threat actors use the credentials obtained from a data breach to log in to another unrelated service."
image: "https://phishprotection.com/og/blog/what-is-credential-stuffing-attack-and-why-paramount-protect-your-organization.png"
canonical: "https://phishprotection.com/blog/what-is-credential-stuffing-attack-and-why-paramount-protect-your-organization/"
---

Quick Answer

Credential stuffing is a phishing attack in which threat actors use the credentials obtained from a data breach to log in to another unrelated service. For example, an attacker may use a list of passwords and usernames that he got from a breach of a department store and use these login credentials to log in to the website of a national bank.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fwhat-is-credential-stuffing-attack-and-why-paramount-protect-your-organization%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=What%20is%20a%20Credential%20Stuffing%20Attack%20and%20Why%20Is%20It%20Paramount%20to%20Protect%20Your%20Organization%20from%20Such%20Phishing%20Attacks&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fwhat-is-credential-stuffing-attack-and-why-paramount-protect-your-organization%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fwhat-is-credential-stuffing-attack-and-why-paramount-protect-your-organization%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fwhat-is-credential-stuffing-attack-and-why-paramount-protect-your-organization%2F&title=What%20is%20a%20Credential%20Stuffing%20Attack%20and%20Why%20Is%20It%20Paramount%20to%20Protect%20Your%20Organization%20from%20Such%20Phishing%20Attacks "Share on Reddit") [ ](mailto:?subject=What%20is%20a%20Credential%20Stuffing%20Attack%20and%20Why%20Is%20It%20Paramount%20to%20Protect%20Your%20Organization%20from%20Such%20Phishing%20Attacks&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fwhat-is-credential-stuffing-attack-and-why-paramount-protect-your-organization%2F "Share via Email") 

![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2021/11/protection-from-phishing-3479.jpg) 

_Credential stuffing is a [phishing attack](/resources/phishing-attacks-and-content-protection/) in which threat actors use the credentials obtained from a data breach to log in to another unrelated service_. For example, an attacker may use a list of passwords and usernames that he got from a breach of a department store and use these login credentials to log in to the website of a national bank. The malicious actors work on the notion that a fraction of department store customers also have a bank account and use the same login credentials for both services.

### Alarming Statistics Pertaining to Credential Stuffing Attacks

The following statistics highlight the need to address the growing issue of credential stuffing: 

- The F5 annual [Credential Stuffing Report 2021](https://www.f5.com/labs/articles/threat-intelligence/2021-credential-stuffing-report) states that credential spill incidents **approximately doubled** from 2016 to 2020.
- It further adds that organizations were slow in detecting cyber intrusions, _taking 327 days on average to discover credential spills_. The median time was 120 days, and the most prolonged period to detect the **phishing attac**k was six and a half years!
- According to a report by [Arkose Labs](https://www.arkoselabs.com/blog/why-businesses-need-a-new-standard-of-credential-stuffing-protection/), **1.3 billion phishing attacks** occurred in the third quarter of 2020, with **over 770 million** using credential-stuffing techniques. While it is not the first report to note the rise of [pandemic-related credential stuffing](https://www.darkreading.com/endpoint/pandemic-credential-stuffing-cybersecuritys-ultimate-inside-job/a/d-id/1338400), it is the latest that confirms its magnitude.
- According to a report by [Akamai](https://www.akamai.com/newsroom/press-release/state-of-the-internet-security-credential-stuffing-in-the-media-industry#:~:text=Released%20today%2C%20the%20Akamai%202020,reporting%20period%20targeted%20media%20companies.), _2020 saw **193 billion** credential stuffing attacks worldwide_, with **over 3.4 billion** phishing attacks hitting financial services organizations, an increase of over 45% year-over-year in the sector.

### Difference Between Brute Force Attacks And Credential Stuffing

> “Zero-day phishing URLs have an average lifespan of just 12 hours before they’re added to blocklists. During that window, traditional signature-based filters are blind. Our real-time behavioral analysis catches these threats by pattern, not by signature - which is how we detect attacks that no database has seen yet.” - **Adam Lundrigan**, CTO, DuoCircle

![Protection from phishing](https://media.mailhop.org/phishprotection/images/2021/11/protection-from-phishing-3479.jpg) 

Organizations’ primary mistake when choosing an [anti-malware solution](/products/malware-and-ransomware-protection/) against these attacks is that they sub-categorize credential stuffing attacks under brute force attacks. However, there are significant differences between them. While Brute force attacks try to guess passwords with no clues or context, credential stuffing utilizes exposed data, significantly reducing the number of possible correct answers. Thus, strong passwords may be robust [anti-phishing protection](/) against brute force attacks but are insufficient for credential stuffing.

### How Threat Actors Launch Credential Stuffing Attacks

Essentially, there are three necessary steps for carrying out a credential stuffing attack:

**_Data Harvesting:_** Before attackers launch a credential stuffing attack, they need databases that contain valid emails, usernames, and passwords. They are readily available on the internet or the dark web.

**\_Validating Accounts: \_**Once equipped with the data, they try to obtain valid username-password combinations. Hackers deploy bots, human click farms, automated scripts, or a combination to do this quickly.

**_Monetize Attack:_** Next step is monetizing the attack, which hackers complete by _selling the credentials on the dark web or third parties_.

### Why Do Organizations Need to Worry About These Attacks?

Organizations seeking to deploy the best [phishing protection](/) must understand that _credential stuffing attacks are easy and cheap to launch and can cause [enormous losses](https://www.arkoselabs.com/blog/businesses-have-to-bear-covert-fraud-losses-due-to-subpar-defenses/)_ to them, both indirect and direct.

- Direct losses include costs linked with restoring user accounts, remediating the attack, and refunding the amounts stolen from user accounts. Since resetting one compromised [password costs](https://www.okta.com/blog/2019/08/how-much-are-password-resets-costing-your-company/) enterprises **nearly $70**, inadequate anti-malware losses can cost businesses millions every year.
- For operational costs, organizations experience an increased burden on legal and compliance teams, increased calls to contact centers, and the need for additional anti-malware and [email phishing protection](/) protocols. Large organizations may spend **over $2 million a year** in call center costs to help users reset passwords. Furthermore, the automated login attempts [put undue strain on IT infrastructure](https://money.cnn.com/2018/03/18/technology/biometrics-workplace/index.html) and server usage.
- Another impact of these attacks is that they create negative publicity and disgruntled customers, which cause irreparable damage to the [brand’s reputation](https://www.arkoselabs.com/blog/ato-severely-harm-user-experience-and-brand-reputation/). In today’s social media age, where reviews and ratings play a crucial role in building a brand, any angry complaint or adverse comment can adversely impact customer acquisition.

### Ways to Prevent Credential Stuffing Attacks

Cyber-criminals use these lists and combine them with advancements in credential stuffing tools to get around traditional [anti-phishing solutions](/products/advanced-threat-defense/). Here are the ways to _prevent your organization from credential stuffing attacks_ \-

![Email phishing protection](https://media.mailhop.org/phishprotection/images/2021/11/email-phishing-protection-7914.jpg) 
- **_Use unique passwords for each service:_** _The first step to mitigate the chances of credential stuffing is to use different passwords_. Since an average person has over a hundred accounts and it is challenging to generate and remember unique passwords, they can create [an encryption rule](https://www.pentasecurity.com/blog/smart-creative-ways-setting-easy-robust-passwords/) to create unique, and robust passwords.
- \*\*Use a web application firewall (WAF): \*\*IT teams must make a reliable web application firewall (WAF) inherent to their **anti-phishing solution**, which will detect abnormal traffic from botnets. Although they cannot solely prevent credential stuffing attacks, they can make suspicious login attempts.
- **\_Credential Hashing: \_**Hashing scrambles a user’s password before organizations store it in their database so that if it is stolen, a malicious actor will not be able to use them.
- **_Multi-Factor Authentication (MFA):_** It is a highly effective way to [prevent phishing](/) attacks like credential stuffing. It requires users to authenticate themselves using another authentication form, in addition to a username-password combination. For example, it can be a one-time code sent to the user’s device, biometric authentication like a fingerprint, or an email to a secure account.
- **_Implement IP Address Deny lists:_** Since threat actors work from a limited pool of IP addresses, IT teams can recognize and block IPs that attempt to log into multiple accounts.

### Final Words

Credential stuffing attacks are easy and cheap to deploy, and hence, their popularity with criminals increases with time. Even if your business isn’t affected yet, you must not consider anti-malware and anti-ransomware solutions as the one-stop solution for all security needs. A robust **[anti-phishing strategy](/blog/machine-learning-helps-fighting-phishing-attacks/)** is a must, and enterprises must understand that passwords as the primary means for authentication do not provide the security required in today’s times. Furthermore, better phishing safeguards have no longer remained optional but have become a necessity in today’s evolving threat landscape.

## Topics

[ Phishing Awareness ](/tags/phishing-awareness/) 

![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Protect your inbox from phishing attacks

Real-time email security with 60-day free trial. No credit card required.

[Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) 

## Related Articles

[  Foundational 5m  0ktapus, Okta Breach Helps Attackers Launch Sophisticated Supply Chain Attacks  Sep 5, 2022 ](/blog/0ktapus-okta-breach-helps-attackers-launch-sophisticated-supply-chain-attacks/)[  Foundational 14m  12 Real-World Spear Phishing Examples And The Red Flags You Missed  Feb 4, 2026 ](/blog/12-real-world-spear-phishing-examples-and-the-red-flags-you-missed/)[  Foundational 2m  8 million Android users fell prey to SpyLoan malware on Google Play Store  Dec 5, 2024 ](/blog/8-million-android-users-fell-prey-to-spyloan-malware-on-google-play-store/)[  Foundational 1m  A Big Part of the Phishing Problem is You  Sep 17, 2019 ](/blog/a-big-part-of-the-phishing-problem-is-you/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"What is a Credential Stuffing Attack and Why Is It Paramount to Protect Your Organization from Such Phishing Attacks","description":"Credential stuffing is a phishing attack in which threat actors use the credentials obtained from a data breach to log in to another unrelated service.","url":"https://phishprotection.com/blog/what-is-credential-stuffing-attack-and-why-paramount-protect-your-organization/","datePublished":"2021-11-12T13:41:29.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2021-11-12T13:41:29.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/what-is-credential-stuffing-attack-and-why-paramount-protect-your-organization/"},"articleSection":"foundational","keywords":"Phishing Awareness","wordCount":995,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2021/11/protection-from-phishing-3479.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://phishprotection.com/foundational/"},{"@type":"ListItem","position":4,"name":"What is a Credential Stuffing Attack and Why Is It Paramount to Protect Your Organization from Such Phishing Attacks","item":"https://phishprotection.com/blog/what-is-credential-stuffing-attack-and-why-paramount-protect-your-organization/"}]}
```