TL;DR: Credential stuffing reuses stolen usernames and passwords across multiple login systems, and 1Kosmos notes that 193 billion attacks were seen in 2020 alone, with fraud, account takeover, and further compromise following reused credentials. Password-first identity still breaks when attackers can automate valid login attempts at scale.
At a glance
What this is: This is a practitioner analysis of credential stuffing and the identity control gaps that make reused credentials so dangerous.
Why it matters: It matters because IAM programmes that still depend on passwords, weak MFA coverage, or poor credential hygiene leave both human and non-human access paths exposed to large-scale account takeover.
By the numbers:
- There were 193 billion credential stuffing attacks in 2020 alone.
- 1Kosmos verifies identity anywhere, anytime, and on any device with over 99% accuracy.
👉 Read 1Kosmos' analysis of credential stuffing and password reuse risk
Context
Credential stuffing is a password reuse attack. An attacker takes stolen username and password pairs from one breach and tests them across other services until a login succeeds. That makes the problem an identity and access issue, not just a fraud or bot-detection problem.
The article is ultimately about how password-centric authentication creates a reusable attack surface across consumer and enterprise systems. For IAM teams, the lesson is that controls built around a single shared secret do not hold up when adversaries can automate validation at scale.
Key questions
Q: How should security teams reduce credential stuffing risk in enterprise environments?
A: Start by reducing reliance on reusable passwords, then add controls that make stolen credentials less useful. Enforce phishing-resistant MFA for sensitive access, deny known-compromised passwords, add strong rate limiting and anomaly detection, and monitor for repeated login attempts across accounts. The goal is to make replayed credentials fail before they become trusted sessions.
Q: Why do reused passwords make credential stuffing so effective?
A: Because a reused password turns one breach into many possible login successes. Attackers only need one matching username and password pair to move from an old compromise to a current account. The more services a person or team uses the same secret on, the more likely a single stolen credential set becomes a broad identity compromise.
Q: What do organisations get wrong about CAPTCHA and password defense?
A: They often treat CAPTCHA and password complexity as if they solve identity assurance. In practice, those controls only slow some automation and make passwords slightly harder to guess. They do not stop valid stolen credentials from being replayed, so they must be paired with stronger authentication and better compromise detection.
Q: How do IAM teams know whether login controls are actually working?
A: Look for a drop in successful logins from known compromised credential sets, fewer high-volume repeated attempts, and lower rates of account takeover from password replay. If users still authenticate successfully after credentials are exposed elsewhere, the control stack is not holding at the point that matters most.
Technical breakdown
How credential stuffing turns stolen passwords into account takeover
Credential stuffing succeeds because authentication systems often treat a valid username and password pair as evidence of identity, even when that pair originated elsewhere. Attackers do not need to break encryption or guess passwords in real time. They need only a large enough list of compromised credentials and enough automation to test them across login portals, APIs, and mobile flows. When organisations allow password reuse, the same compromise can cascade across multiple accounts and services. The attack becomes more effective when the target environment lacks rate limiting, detection for impossible login patterns, or strong step-up verification for suspicious access attempts.
Practical implication: teams need to assume stolen credentials are already in circulation and design controls that can stop valid secrets from becoming valid sessions.
Why passwords remain the weakest identity factor in this attack path
Passwords are reusable, phishable, and easy to harvest through database breaches, social engineering, or brute force. The article correctly notes that the problem is not just storage hygiene but the inherent weakness of a shared secret as an identity proof. Even hashed passwords can be exposed if the database is compromised, and once one account pair is known, attackers can test variants across other platforms. Secondary passwords reduce some risk, but they still leave the organisation dependent on secrets rather than possession, device trust, or phishing-resistant factors.
Practical implication: reduce reliance on shared secrets for user authentication and treat password reuse as an enterprise risk signal, not just a user behaviour issue.
Why automation changes the economics of login abuse
Credential stuffing is not a manual guessing exercise. Attackers feed stolen credentials into tooling that can test many services in parallel, vary request patterns, and swap in hybrid or dictionary-based mutations when direct reuse fails. That changes the control problem from individual login defence to system-level abuse resistance. CAPTCHA, throttling, and anomaly detection can slow this down, but they do not remove the core issue if the authentication model still accepts reusable passwords as the main proof of identity. The most durable defence is to reduce the value of the credential itself and constrain how quickly valid logins can become trusted sessions.
Practical implication: build login controls for adversarial automation, not normal user behaviour, and make sure policy decisions survive high-volume testing.
Threat narrative
Attacker objective: The attacker wants to turn one compromised credential set into repeatable access, account takeover, and downstream fraud or data theft.
- Entry occurs when attackers obtain stolen username and password pairs from a breach, phishing campaign, or other credential source.
- Escalation happens when those credentials are automated across many login portals, with hybrid or sprayed variants used to find valid reuse.
- Impact follows when a matching account is compromised and the attacker can steal data, commit fraud, or launch further attacks from inside the account.
Breaches seen in the wild
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
- IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Password reuse is the real control failure behind credential stuffing. The attack works because identity programmes still tolerate a shared-secret model that assumes one password maps to one user and one environment. That assumption collapses once stolen credentials can be replayed across hundreds of services. The implication is that password policy alone is not a sufficient security boundary.
Credential stuffing is a human IAM problem, but the blast radius extends to NHI governance. The same weak identity discipline that allows users to reuse passwords also encourages unsafe credential handling across service accounts, scripts, and shared admin workflows. When organisations normalise secrets as portable proof, they create a governance culture where every identity type inherits the same exposure pattern. Practitioners should treat reusable secrets as a cross-domain control failure.
Secondary passwords and CAPTCHA are friction controls, not identity controls. They can slow large-scale automation, but they do not repair the underlying assumption that a reusable credential is trustworthy on its own. That makes them partial compensating controls at best. The practical conclusion is that authentication design should move toward phishing-resistant factors and session assurance rather than hoping for better user behaviour.
Identity assurance has to be measured at the point of login, not assumed from the credential itself. Credential stuffing exposes the gap between authentication success and trustworthiness. A valid password does not mean a valid actor, valid device, or valid context. IAM teams should therefore separate credential acceptance from session trust and make that distinction visible in policy and telemetry.
Credential stuffing shows why access governance must include credential lifecycle, not just account lifecycle. If stolen credentials can remain usable across platforms, then credential exposure becomes a governance event with a wider blast radius than a single account. Organisations need to think in terms of credential persistence, reuse, and recovery, not only joiner-mover-leaver processes. Practitioners should align lifecycle controls with credential risk, not just user records.
From our research:
- 23.7% of organisations share secrets through insecure methods such as email or messaging applications, according to The 2024 Non-Human Identity Security Report.
- 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge, according to The 2024 Non-Human Identity Security Report.
- For a broader view of how secret sprawl and credential exposure translate into breach risk, see 52 NHI Breaches Analysis.
What this signals
Credential stuffing pressure is a warning sign that identity programmes still treat secrets as durable proof. Once credentials can be replayed across services, the useful control boundary is not the password itself but the session trust model that follows it.
Credential replay debt: the longer an organisation allows shared secrets to circulate across user, service, and support workflows, the more it accumulates unrecoverable authentication risk. That is why secrets governance needs to be part of IAM design, not an afterthought.
Teams should expect more login abuse to arrive through automation rather than human guessing. The right response is to combine phishing-resistant authentication, strong compromise detection, and tighter governance over where secrets are stored and shared.
For practitioners
- Enforce phishing-resistant authentication for high-risk access Move privileged and sensitive user flows away from password-only or password-plus-secondary-password designs and toward phishing-resistant methods that do not rely on reusable shared secrets.
- Block credential reuse at the policy layer Detect and deny known-compromised passwords at sign-in, then require reset and step-up verification before the account can be trusted again.
- Tune detection for automation-driven login abuse Set thresholds for failed attempts, geo-velocity anomalies, and session reuse patterns so automated testing of credentials is surfaced before account compromise succeeds.
- Review secrets handling across service workflows Map where usernames, passwords, API keys, and shared credentials are stored or transmitted, then remove email and messaging channels from approved sharing paths.
Key takeaways
- Credential stuffing succeeds because reused passwords convert one compromise into many possible account takeovers.
- The scale of login abuse is already massive, and weak secrets handling keeps the attack surface open across both human and non-human identities.
- IAM teams should shift from password-centric defence to phishing-resistant authentication, compromise detection, and tighter secrets governance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | Credential stuffing exploits weak authenticator assurance and replayable passwords. | |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Repeated login abuse shows why access decisions must be continuously re-evaluated. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Secret reuse and insecure sharing map directly to NHI secret exposure risk. |
Treat successful credential validation as insufficient and require contextual verification before granting session trust.
Key terms
- Credential Stuffing: A credential stuffing attack reuses stolen username and password pairs across many services to find accounts that accept the same login. The technique depends on password reuse, automation, and weak abuse detection, turning one breach into many potential account takeovers.
- Phishing-Resistant Authentication: Phishing-resistant authentication uses methods that cannot be copied and replayed like a password, such as cryptographic authenticators tied to a device or user presence. It reduces the value of stolen credentials because the attacker cannot simply paste the secret into another login form.
- Secrets Sprawl: Secrets sprawl is the uncontrolled spread of credentials such as passwords, API keys, and tokens across people, tools, and workflows. It increases the chance that a secret is exposed, reused, or shared insecurely, which weakens both human and non-human identity governance.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by 1Kosmos: credential stuffing and how stolen credentials are reused across login systems. Read the original.
Published by the NHIMG editorial team on 2025-03-21.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
