What is credential stuffing?

Credential stuffing is an insidious attack method that exploits the widespread tendency to reuse passwords across multiple online services, posing a risk to individuals and businesses alike. With 75% of users recycling their passwords, cybercriminals use sophisticated bots to test vast databases of stolen credentials, trying to gain unauthorized access to sensitive information. In the second half of 2018 alone, there were 28 billion credential stuffing attempts, indicating the need for stronger cybersecurity measures and greater user vigilance.

Understanding credential stuffing

Unlike brute-force attacks, which attempt every possible password combination, credential stuffing uses real credentials that have already been confirmed to work somewhere. Attackers source these credentials from dark web markets, infostealer malware logs, and breach compilations, then run them through automated tools against login pages at scale. A login attempt that uses a real username and real password generates authentication traffic that is largely indistinguishable from legitimate user activity, which makes these attacks much harder to detect than technical intrusion attempts.

A 2022 academic paper on compromised credential checking services, published as part of the USENIX Security Symposium and cited extensively in subsequent credential security research, describes the foundational dynamic: billions of passwords are available online as a result of prior compromises, and because users frequently choose the same or similar passwords across different web services, attackers can use leaked credentials to access accounts on entirely different platforms. Verizon's extended research accompanying the 2025 DBIR found that in the median case, only 49% of a user's passwords across different services were distinct from each other, meaning roughly half of any given user's credentials are duplicated somewhere across their accounts.

Read also: What is phishing? | What is an infostealer? | What is account takeover?

The impact of credential stuffing

Credential stuffing sits at the beginning of a chain of more damaging attacks. Compromised credentials are used to access email accounts, patient portals, financial systems, and enterprise platforms. Once inside, attackers access sensitive data directly, establish persistence, conduct lateral movement, or sell the validated access to other threat actors who deploy ransomware or conduct fraud.

The IBM X-Force Threat Intelligence Index 2025 found that valid compromised credentials were used in 30% of all intrusions IBM responded to in 2024, making credential abuse the single most common initial access vector. Verizon's 2025 DBIR found that stolen credentials were the initial access vector in 22% of all confirmed breaches, with 88% of basic web application attacks relying on stolen credentials specifically.

For healthcare, the consequences are both regulatory and clinical. According to Paubox's Top 3 Healthcare Email Attacks in 2025 report, credential-based mailbox takeovers accounted for the largest share of exposed patient data among email-related healthcare breaches in 2025, with phishing-driven mailbox takeovers exposing 630,000 individuals. According to Paubox's 2025 Healthcare Email Security Report, the Warby Parker breach, which compromised nearly 200,000 patients' data, was a credential stuffing attack. OCR enforcement data confirms that credential stuffing has prompted formal HIPAA investigations, with the HHS OCR identifying it as one of six primary incident types driving enforcement actions since 2024.

How credential stuffing works

Attackers begin by acquiring credential lists, commonly called combo lists, which contain pairs of usernames or email addresses and passwords harvested from prior breaches. These lists are bought on dark web forums, obtained through infostealer malware logs, or compiled from publicly leaked breach databases. A single large breach can supply tens of millions of usable credential pairs.

Automated tools then test these credentials against target login pages using rotating proxy networks and spoofed user agents to distribute the attempts and avoid triggering rate-limiting or IP blocking controls. Because each attempt uses a different credential rather than the same password repeated, the traffic pattern does not resemble a traditional brute-force attack. Verizon's extended DBIR credential stuffing research notes that these attacks hide by modifying headers and attempting authentication only once per specific user account, making them successful at blending into normal authentication traffic.

Success rates are low in absolute terms, typically between 0.1% and 4%, however at the volumes attackers operate, even a low hit rate produces thousands of valid account accesses from a single campaign. Validated credentials are then sorted: high-value accesses such as email accounts, healthcare portals, or financial services are used or sold directly, while lower-value hits may be compiled into new breach lists for future campaigns.

Infostealers have accelerated the credential supply pipeline considerably. IBM X-Force found an 84% increase in phishing emails delivering infostealer malware in 2024 compared to the prior year, with those infostealers generating more than 8 million dark web credential advertisements from the top five families alone. The credentials produced by infostealers are particularly fresh and tend to carry higher success rates in stuffing campaigns than older breach lists.

Why credential stuffing is harder to detect and stop

The fundamental challenge in detecting credential stuffing is that a successful attack looks like a successful login. Valid credentials, used from an IP address that is not obviously malicious, produce authentication logs that differ from legitimate user sessions only in context: slightly unusual timing, an unfamiliar device, or a geographic location inconsistent with the user's history.

Rate limiting and IP blocking are the most common defences, however they are increasingly ineffective against modern tooling. Verizon's credential stuffing research found that credential stuffing accounted for 19% of all authentication attempts in the median organization analysed through SSO provider logs, meaning security teams have become largely desensitised to this background level of attack traffic. Attackers also use residential proxy networks and legitimate cloud services to distribute attempts across thousands of IP addresses, making IP-based blocking an expensive and incomplete control.

Multi-factor authentication is the most effective individual control, however adoption in healthcare remains inconsistent. Verizon's 2025 DBIR extended research identifies MFA non-adoption as one of the two primary weaknesses enabling credential stuffing to succeed, alongside password reuse itself. Even where MFA is deployed, push-notification-based methods remain vulnerable to prompt bombing and adversary-in-the-middle attacks, which IBM X-Force documented as a growing dark web product category.

Recognizing credential stuffing activity

Credential stuffing leaves patterns in authentication logs that are recognizable when analysts know what to look for. A spike in failed login attempts across many different user accounts in a short window is a strong signal, particularly when those attempts originate from geographically dispersed IP addresses or rotate rapidly through unfamiliar user agents. Successful logins from locations or devices inconsistent with a user's normal behavior, without any prior failed attempts, may indicate a stuffing hit that bypassed rate limiting entirely.

In healthcare environments, post-login activity provides additional indicators. Paubox's Top 3 Healthcare Email Attacks in 2025 report describes how attackers with valid credentials access inboxes as legitimate users and remain undetected for extended periods by reviewing historical email for PHI and attachments, searching for billing or referral keywords, and creating inbox rules to forward or conceal messages. Unusual inbox rules, access to email search history involving clinical or financial keywords, and unexpected forwarding configurations following a login from an unfamiliar device are all indicators worth monitoring.

Best practices for defending against credential stuffing

Multi-factor authentication remains the most direct mitigation. Verizon's extended credential stuffing research explicitly identifies MFA non-enablement alongside password reuse as the two conditions that make stuffing attacks succeed, and notes that MFA-enablement is increasingly considered table stakes for any authentication flow that matters. Phishing-resistant MFA methods that do not rely on push notifications offer stronger protection in healthcare environments where prompt bombing is documented.

Upstream email security reduces credential exposure at the source. Phishing is the primary mechanism through which credentials are initially stolen before entering combo lists. According to Paubox's 2025 Healthcare Email Security Report, only 5% of known phishing attacks are reported by employees to security teams, which means the vast majority of credential-harvesting phishing attempts go undetected at the human level. Paubox's Inbound Email Security is designed to detect and block phishing and impersonation attempts before they reach inboxes, reducing the likelihood of initial credential theft that feeds credential stuffing campaigns downstream.

Learn more: Paubox Inbound Email Security | Paubox Email Suite | Paubox's Top 3 Healthcare Email Attacks in 2025 report

In the news

The Health Sector Cybersecurity Coordination Center (HC3) has previously issued an alert about credential harvesting, a prevalent tactic in cyberattacks on the healthcare and public health (HPH) sector. Credential harvesting involves obtaining usernames, passwords, and personal information, providing hackers with unauthorized access to sensitive data and systems. This can lead to extensive attacks, including data breaches, malware deployment, and system disruptions. Common methods include phishing, keylogging, brute force attacks, person-in-the-middle attacks, and credential stuffing. To mitigate these risks, healthcare organizations should adopt multi-factor authentication, implement strong email filtering, conduct employee cybersecurity training, and deploy monitoring and detection solutions. This alert follows an earlier HC3 warning on email bombing tactics used in denial of service attacks.

FAQs

Why is credential stuffing particularly concerning for healthcare organizations?

Credential stuffing is especially concerning for healthcare organizations because it can lead to unauthorized access to sensitive patient information, potentially compromising patient privacy, leading to identity theft, and disrupting healthcare services.

How can I tell if my healthcare account has been targeted in a credential stuffing attack?

Signs that your healthcare account might have been targeted include unusual login attempts, unexpected password changes, unfamiliar activity on your health records, or receiving notifications about failed login attempts from your healthcare provider.

What are the consequences of a successful credential stuffing attack in healthcare?

Consequences can include unauthorized access to personal health information (PHI), financial fraud, identity theft, billing fraud, disruption of healthcare services, and reputational damage to healthcare providers.

How is credential stuffing different from other types of cyber attacks in healthcare?

Credential stuffing is distinct because it specifically involves using stolen credentials to gain access, rather than exploiting software vulnerabilities or using phishing techniques to trick users into revealing their information.