Security glossary
What is credential stuffing?
Credential stuffing is when attackers test leaked email-password pairs on many websites, hoping people reused passwords.
Last reviewed: 2026-05-23
In plain English
It is automated and fast. Attackers can test thousands of login attempts in minutes.
One old breach can trigger new account takeovers if the same password is reused.
Credential stuffing often leads to billing changes, profile edits, or recovery-email takeovers.
Real-world example
Your old password from a gaming breach is reused on your email account, and attackers log in without malware.
What you should do
- Use unique passwords for every important account.
- Start password resets with your primary inbox and financial services.
- Add MFA so reused passwords alone are not enough.
Related terms
What is account takeover?
Account takeover (ATO) is when someone gains control of your account and can change settings, spend money, or lock you out.
What is multi-factor authentication (MFA)?
MFA adds a second login check after your password, like an app code or hardware key.
What is a password manager?
A password manager stores unique passwords and helps you avoid dangerous password reuse.