TL;DR: Credential stuffing remains a major account takeover path, with the source article citing IBM data that 16% of breaches involve stolen credentials, 292 days is the average containment time for compromised credential attacks, and the average cost is $4.81M per breach. The governance problem is not just blocking bots, but reducing the durability and usefulness of stolen identity material.
At a glance
What this is: This is a vendor analysis of credential stuffing and account takeover that frames stolen credentials as a breach driver and argues for layered detection and mitigation.
Why it matters: It matters because IAM, PAM, and NHI programmes all inherit the same problem when identity material is replayed, abused, or industrialised at scale.
By the numbers:
- 16% of breaches are caused by stolen credentials.
- 292 days on average to contain compromised credential attacks.
- $4.81M average cost of a breach involving stolen credentials.
👉 Read Arkose Labs' analysis of credential stuffing and account takeover defenses
Context
Credential stuffing is a replay attack in which stolen username and password pairs are tried against live accounts at scale. For IAM teams, the core problem is not authentication in isolation, but the fact that compromised identity material can remain valid long after it was exposed elsewhere.
The article treats account takeover as a business and governance problem as much as a fraud problem. That matters across human identity, customer identity, and adjacent NHI environments because once a credential is compromised, basic trust assumptions about legitimate access and abnormal behaviour both start to fail.
Key questions
Q: How should security teams reduce credential stuffing risk in customer login flows?
A: Start with risk-based authentication and bot detection on the highest-volume login surfaces, then add step-up controls where attack volume and account value justify the friction. Also screen for breached passwords, shorten the usefulness of exposed credentials through rapid invalidation, and correlate sign-in behaviour with downstream actions such as profile edits or payment attempts.
Q: Why does credential stuffing remain effective even when MFA exists?
A: Credential stuffing can still succeed when MFA is inconsistently enforced, when attackers target weak recovery flows, or when the account is protected only at initial login but not during later high-value actions. MFA reduces risk, but it does not remove the need to detect replayed credentials, session abuse, and abnormal account behaviour.
Q: What do security teams get wrong about account takeover detection?
A: They often focus on the login event alone. In practice, takeover is confirmed by what happens after authentication, including profile changes, reward redemptions, support abuse, or unusual payment behaviour. Detection should therefore combine identity signals with session and transaction telemetry instead of treating a successful sign-in as a clean outcome.
Q: Who is accountable when stolen credentials are used to drain customer accounts?
A: Accountability usually spans IAM, fraud, security operations, and the business owner for the affected workflow. The right framework is shared responsibility: authentication controls may fail at the door, but downstream teams often control the actions that turn access into loss. Clear ownership is needed for both detection and containment.
How it works in practice
Why credential stuffing succeeds against password-based accounts
Credential stuffing works because many users reuse credentials across services, giving attackers a high hit rate when they replay breached username and password pairs. Defenders are not facing a novel exploit so much as an industrialised reuse of already-valid identity material. The attacker does not need to break crypto or malware a device if the account still accepts the stolen combination. Risk scoring, password reuse controls, and step-up checks matter because the login itself is no longer a reliable signal of legitimacy.
Practical implication: reduce credential reusability and add risk-based friction where reused credentials are most likely to be tested.
How adaptive challenges change the economics of automated takeover
Adaptive challenges are designed to separate scripted automation from human users by increasing cost, latency, and operational complexity for attacker tooling. In practice, they do not stop all abuse, but they can force attackers to burn infrastructure, slow their throughput, and abandon lower-value targets. The technical value is not just blocking a login, but making automated attempts expensive enough that the attacker’s economics fail before account compromise scales. That is why these controls are often paired with telemetry and bot classification rather than used alone.
Practical implication: place adaptive friction at the highest-volume abuse points, not uniformly across every authentication flow.
Why account takeover becomes a fraud and detection problem after access is gained
Once an attacker gets in, the problem shifts from authentication failure to behavioural abuse. That includes reward theft, payment fraud, profile changes, and lateral use of trusted session state. Detection therefore needs to look beyond the login event and into session behaviour, device signals, velocity, and unusual transaction patterns. This is where identity and fraud programmes overlap: a valid session can still be malicious if the subsequent actions do not match normal account behaviour.
Practical implication: connect authentication telemetry to downstream account actions so takeover is detected after login, not only at the door.
NHI Mgmt Group analysis
Credential stuffing is an identity governance failure, not just a bot problem. The article correctly treats stolen credentials as a breach driver because the real weakness is persistent trust in reusable identity material. In practice, password-based authentication still assumes that possession of a valid credential means the user is legitimate, even after that credential has appeared in the wild. For IAM teams, the implication is that identity assurance must be treated as dynamic, not static.
Account takeover exposes the identity blast radius of weak authentication controls. Once an attacker authenticates, the damage is rarely confined to the login event. Session abuse, profile changes, reward theft, and payment fraud show how one valid access path can propagate across multiple business workflows. That makes this a cross-functional IAM, fraud, and customer-security problem, not a single-control problem. Practitioners need to measure where trusted sessions can still be abused.
Adaptive challenges shift attacker economics, but they do not repair the trust model. The article’s emphasis on real-time risk assessment and mitigation reflects the right tactical response to automation at scale. Still, the deeper issue is that the account remains reachable through a credential that may already be compromised. The challenge layer can raise cost and slow abuse, but it does not remove the underlying exposure of reused identity material. Practitioners should treat it as pressure reduction, not closure.
Customer identity and NHI governance increasingly overlap in the same control plane. The methods used to detect bot abuse, replay attacks, and anomalous session behaviour are converging with the telemetry patterns used to govern non-human access. That does not make customer IAM an NHI problem, but it does mean identity programmes need shared signals across humans, machine-issued sessions, and automated abuse patterns. The practical conclusion is to unify visibility before threat actors exploit the gaps between teams.
Ephemeral access is not the answer when the compromised factor is the account itself. Credential stuffing works because attackers weaponise standing trust in login material, not because access is overly long-lived in the abstract. That means programmes that focus only on session duration will miss the core issue. The stronger governance question is where reusable secrets, weak assurance, and insufficient behavioural checks are still allowing identity replay to succeed.
From our research:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
- That makes OWASP Agentic AI Top 10 the right next step for teams reassessing identity trust in automated and agent-driven environments.
What this signals
Credential replay is a symptom of broader identity trust debt. As customer estates, partner portals, and automation layers expand, identity programmes need a single view of how reusable credentials behave across login, session, and transaction stages. Teams that still treat authentication as a front-door control will keep absorbing fraud as an operational cost rather than reducing it as an identity risk.
The practical signal is to move from login-centric monitoring to outcome-centric monitoring. If a successful authentication can still lead to reward theft, account changes, or support abuse, then the programme has not closed the control loop. That is where correlation across IAM, fraud, and security telemetry becomes the most useful investment.
The same governance logic that is now being applied to AI agents also applies here: if access can be replayed, abused, and monetised faster than review cycles operate, the review cycle is already too slow. Practitioners should use this as a prompt to test whether their customer identity controls are measuring behaviour, not just access success.
For practitioners
- Tighten login risk controls Apply risk-based authentication, bot detection, and step-up checks at the highest-volume login paths where reused credentials are most likely to be tested. Prioritise customer-facing flows with the greatest fraud exposure and tune thresholds from observed attack traffic rather than static policy alone.
- Reduce credential replay value Accelerate password reset, credential invalidation, and breached-password screening so exposed identity material loses usefulness faster. Pair that with MFA where the business can tolerate it, especially for accounts with stored value, payment capability, or sensitive profile access.
- Correlate authentication with downstream abuse Link sign-in telemetry to session changes, reward redemption, support-contact changes, and payment events so a valid login can still be flagged as malicious. The strongest detection starts after the door is opened, when attacker behaviour becomes visible across account actions.
- Segment high-value accounts and workflows Treat loyalty, payment, support, and admin-adjacent customer flows as separate risk tiers with distinct controls. This limits the blast radius of a successful takeover and makes it harder for one compromised identity to reach multiple monetisable actions.
Key takeaways
- Credential stuffing remains effective because many identity systems still trust reusable login material more than they should.
- The scale signal is clear: stolen credentials drive a meaningful share of breaches, and containment is measured in months, not minutes.
- The strongest response is not a single anti-bot layer, but a joined-up identity and fraud control model that watches login, session, and account behaviour together.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Credential replay is a direct access control failure. |
| NIST SP 800-63 | 4.2 | AAL and authentication assurance are central when credentials are replayed. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification after login, not blind trust. |
Tighten access verification and pair it with risk scoring at authentication and session stages.
Key terms
- Credential Stuffing: Credential stuffing is the automated replay of stolen username and password pairs against live accounts. The attacker relies on password reuse and weak login controls rather than breaking encryption. In practice, it is an industrialised identity abuse pattern that turns exposed credentials into account compromise at scale.
- Account Takeover: Account takeover is the unauthorised control of an account after successful authentication or recovery abuse. The attacker may change profile data, drain balances, abuse rewards, or move through trusted workflows. It is a downstream identity failure that often starts with compromised credentials but is confirmed by malicious post-login behaviour.
- Adaptive Challenge: An adaptive challenge is a risk-based control that changes friction in response to suspicious behaviour. It can slow automated abuse, raise attacker cost, and protect customer flows without forcing every legitimate user through the same hurdle. Its value is strongest when paired with telemetry and downstream detection.
- Identity Blast Radius: Identity blast radius is the amount of damage that can occur when one identity is misused or compromised. It reflects how far an attacker can move from one account into related workflows, data, or privileges. Strong governance reduces blast radius by limiting what a single account can reach.
What's in the full announcement
Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:
- The specific detection signals used in its real-time risk assessment flow for credential stuffing and account takeover.
- How adaptive challenges are tuned to stop automation while preserving legitimate customer access.
- The platform components the vendor positions for account takeover, fake account creation, SMS toll fraud, API security, MFA compromise, and device intelligence.
- Customer examples and product-level context that go beyond the governance implications covered here.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-23.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org