Credential Stuffing

Credential Stuffing is a type of cyberattack where the attacker takes massive lists of usernames (typically email addresses) and passwords, and then tries to “stuff” them into different websites to gain access. They typically obtain the massive lists of passwords from data breaches. Unlike brute force attacks, attackers are not guessing passwords. They simply automate the process to attempt thousands or millions of logins using different automation tools. Attackers can be very successful using this approach because users often use one password for several logins and rarely change them. See multi-factor authentication.