Credential stuffing: why password reuse is your single biggest risk

Compromised credentials were the most common initial access vector in the 2025 DBIR, involved in roughly 22% of breaches. That's an enormous slice of the threat landscape, and unlike phishing or vulnerability exploitation, it's a category where the attacker doesn't have to do much work. The work was already done — by users who reused passwords across sites, and by breaches at unrelated services that leaked those passwords.

This post walks through the math, the threat actor playbook, and what actually defends against this.

The math, in plain numbers

Let's say one of your employees has a password that's been used at six different services over the past five years. One of those services — let's pick a real one: a major retailer, a major hotel chain, a major social network — gets breached. Their credential dump ends up on a paste site or a dark-market dump.

A few weeks later, an automated tool stuffs that credential pair into thousands of other login pages: corporate VPNs, M365 tenants, banking sites, GitHub. The math:

• 49% median of a user's passwords are not unique across services (per supplementary DBIR research).
• 19% of authentication attempts on consumer-facing services are credential stuffing (per the same dataset).
• A determined attacker with a cred dump and a list of corporate domains can run thousands of stuffing attempts an hour.

The hit rate on any single dump-against-target pairing is small — maybe 0.5-2%. But against millions of attempts and thousands of leaked dumps, the absolute number of successful logins is enormous.

The attacker playbook

A typical credential stuffing campaign looks roughly like this:

1. Acquire dumps. Combo lists from prior breaches, infostealer logs from compromised personal devices, or freshly purchased dark-market dumps.
2. Map targets. For corporate targets, attacker enumerates email patterns ("first.last@company.com") and login portals (Okta, Entra, M365, VPN, helpdesk).
3. Stuff at scale. Distributed automation, residential proxy networks, and CAPTCHA-solving services to get past basic rate-limiting.
4. Verify and triage. Successful logins get tested for what they have access to — email, file storage, financial systems, code repos.
5. Exploit. Depending on what was accessed: BEC attempts, data theft, lateral movement, or sale of access to other actors.

The dwell time on credential-driven breaches is alarming. The IBM 2025 Cost of a Data Breach report found stolen-credentials breaches took up to 186 days to identify on average. Six months of attacker access before anyone notices.

What actually defends against this

The defense playbook is well-established, but adoption is uneven:

1. Phishing-resistant MFA

This is the highest-leverage control. MFA via SMS or one-time codes is no longer enough — attackers run MFA fatigue and SMS interception at scale. Phishing-resistant MFA (passkeys, FIDO2 hardware keys, certificate-based authentication) defeats credential stuffing entirely because the password alone doesn't grant access.

The hard part is the rollout. Most organizations have phishing-resistant MFA for some accounts (admin, executive) and not for others. The DBIR data suggests this gap is exactly where attackers concentrate.

2. Password manager rollout

If users are picking and remembering passwords, they're reusing passwords. That's not a moral failing — it's a UX limit. The only durable answer is a password manager that generates and stores unique, long credentials per service.

The challenge: rollout. Issuing licenses isn't enough; you need adoption training, browser-extension support, and enough visibility to know which users actually use it.

3. Monitoring for leaked credentials

Services like Have I Been Pwned (and commercial equivalents) provide breach-monitoring APIs. Plumbing them into your IAM lets you force a password reset when a corporate email shows up in a new dump.

This is the cleanest closed loop in this category: dump appears, monitoring fires, IAM forces reset, attacker's stuffing window closes.

4. Conditional access policies

Even before phishing-resistant MFA is fully deployed, conditional access reduces blast radius. Common rules:

• Block logins from unexpected geographies
• Require step-up authentication from new devices
• Block legacy authentication protocols (the easiest stuffing targets)
• Enforce device compliance for sensitive resources

These are blocking many credential stuffing attempts before they even reach the user's MFA prompt.

5. Reducing attack surface

Every login portal is a stuffing target. Many organizations expose helpdesk portals, time-tracking systems, marketing tools, or partner systems with their corporate identity. Each one is a potential stuffing target. Consolidating identity through SSO reduces the number of login surfaces an attacker can probe.

Where awareness training fits

It's tempting to call credential abuse an "infrastructure problem" rather than a "training problem." But there's a meaningful awareness component:

• MFA fatigue. When a user gets a push notification they didn't initiate, do they approve out of habit, or deny and report? That's training.
• Password manager adoption. Whether users actually use the password manager you bought is partly a culture problem.
• Reporting unexpected sign-ins. "I got a sign-in alert from a country I'm not in" should be an immediate helpdesk ticket, not something dismissed.

Awareness training that addresses these specific behaviors moves the needle on credential abuse in a way generic phishing training does not.

The honest summary

Credential abuse is the most common initial access vector in the 2025 DBIR data, and it'll likely keep that title for the foreseeable future. The defense isn't complicated — it's well-established and well-documented. The challenge is execution at scale: getting every account on phishing-resistant MFA, getting every user on a password manager, getting every login portal behind SSO.

That's a multi-year IT program for most organizations. While that program executes, awareness training that targets the specific behaviors around credentials (MFA fatigue, unexpected sign-ins, password manager adoption) is one of the highest-leverage things a security team can do.

---

Sources: Verizon 2025 Data Breach Investigations Report — Executive Summary, Verizon DBIR Credential Stuffing Research, IBM Cost of a Data Breach Report 2025.