TL;DR: Credential stuffing reuses stolen usernames and passwords across multiple login systems, and 1Kosmos notes that 193 billion attacks were seen in 2020 alone, with fraud, account takeover, and further compromise following reused credentials. Password-first identity still breaks when attackers can automate valid login attempts at scale.
NHIMG editorial — based on content published by 1Kosmos: credential stuffing and how stolen credentials are reused across login systems
By the numbers:
- There were 193 billion credential stuffing attacks in 2020 alone.
- 1Kosmos verifies identity anywhere, anytime, and on any device with over 99% accuracy.
Questions worth separating out
Q: How should security teams reduce credential stuffing risk in enterprise environments?
A: Start by reducing reliance on reusable passwords, then add controls that make stolen credentials less useful.
Q: Why do reused passwords make credential stuffing so effective?
A: Because a reused password turns one breach into many possible login successes.
Q: What do organisations get wrong about CAPTCHA and password defense?
A: They often treat CAPTCHA and password complexity as if they solve identity assurance.
Practitioner guidance
- Enforce phishing-resistant authentication for high-risk access Move privileged and sensitive user flows away from password-only or password-plus-secondary-password designs and toward phishing-resistant methods that do not rely on reusable shared secrets.
- Block credential reuse at the policy layer Detect and deny known-compromised passwords at sign-in, then require reset and step-up verification before the account can be trusted again.
- Tune detection for automation-driven login abuse Set thresholds for failed attempts, geo-velocity anomalies, and session reuse patterns so automated testing of credentials is surfaced before account compromise succeeds.
What's in the full article
1Kosmos' full article covers the operational detail this post intentionally leaves for the source:
- A breakdown of the common password compromise paths, including database breaches, phishing, and brute force.
- A practical explanation of why secondary passwords are not the same as multi-factor authentication.
- A vendor walkthrough of passwordless authentication features and how they are positioned against credential stuffing.
- A discussion of the platform's identity proofing, SIM binding, and integration model for deployment teams.
👉 Read 1Kosmos' analysis of credential stuffing and password reuse risk →
Credential stuffing and password reuse: where identity controls fail?
Explore further
Password reuse is the real control failure behind credential stuffing. The attack works because identity programmes still tolerate a shared-secret model that assumes one password maps to one user and one environment. That assumption collapses once stolen credentials can be replayed across hundreds of services. The implication is that password policy alone is not a sufficient security boundary.
A few things that frame the scale:
- 23.7% of organisations share secrets through insecure methods such as email or messaging applications, according to The 2024 Non-Human Identity Security Report.
- 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge, according to The 2024 Non-Human Identity Security Report.
A question worth separating out:
Q: How do IAM teams know whether login controls are actually working?
A: Look for a drop in successful logins from known compromised credential sets, fewer high-volume repeated attempts, and lower rates of account takeover from password replay. If users still authenticate successfully after credentials are exposed elsewhere, the control stack is not holding at the point that matters most.
👉 Read our full editorial: Credential stuffing exposes the limits of password-first identity