How Credential Stuffing Actually Works Now

Your password might already be for sale. Not because a company you use got breached last month, but because malware on your device harvested it hours ago and it's already in a Telegram channel being sold for fractions of a cent.

That's the update to the credential stuffing story most people haven't gotten yet. The attack itself hasn't changed: take a list of stolen username and password pairs, test them automatically across thousands of sites, collect the logins that work. What's changed is where the credential lists come from. Understanding that shift changes what you need to do about it.

The short version: Enable passkeys on Google, Apple, and Microsoft accounts. Move banking and email into a password manager with unique passwords. Search your email on Have I Been Pwned and turn on breach monitoring. The rest of this post explains why those three steps matter more now than they did two years ago.

---

#The Pipeline Has Changed

In 2020, Spotify was hit by a credential stuffing attack that compromised 350,000 accounts. Three months later, attackers came back and hit another 100,000. The source in both cases: credentials from unrelated breaches at other companies. Someone reused their Spotify password elsewhere, that site got breached, and the attacker tried the same credentials on Spotify.

That model still happens. But it's no longer the dominant pipeline.

The primary source of stolen credentials today is infostealer malware. An infostealer runs silently on an infected device and harvests everything authentication-related: saved browser passwords, session cookies, and credentials typed in real time. The data gets sent to attacker infrastructure within minutes. It then gets packaged into stealer logs and sold on dark web markets and Telegram channels, often within hours of infection.

KELA threat intelligence found that infostealers compromised 3.9 billion credentials across 4.3 million devices in 2024. The IBM X-Force 2025 Threat Intelligence Index found an 84% year-over-year increase in emails delivering infostealers in 2024.

The distribution vectors are ones you encounter every day: malicious ads redirecting to fake software downloads, SEO-poisoned search results pointing at trojanized installers, and the "ClickFix" technique that became widespread in 2024. In a documented May 2024 campaign, Microsoft tracked tens of thousands of emails with fake Cloudflare CAPTCHA pages that instructed users to press Win+R and run a command, which silently installed Lumma Stealer. The CAPTCHA looked legitimate. The prompt looked like a routine verification step.

Session cookie theft makes MFA bypassable. This is where it gets worse. Infostealers don't just steal passwords. They steal session tokens: the authentication cookies that represent an already-logged-in session. An attacker who imports your session token into their browser inherits your active session, including sessions that already passed MFA (multi-factor authentication) verification. The 2022 Uber breach by Lapsus$ used exactly this technique: purchased session cookies from a marketplace to bypass authentication entirely.

The leading infostealer families, Lumma, RedLine, and StealC, account for more than 75% of infected machines. They're available as Malware-as-a-Service: Lumma starts at $250/month, with tiers up to $20,000 for source code access. RedLine was disrupted by Operation Magnus in October 2024, a joint FBI and Dutch National Police action, but Lumma and StealC have filled the gap.

---

#The Scale of the Stuffing Problem

The credential stuffing attack that uses these lists operates at a scale most people don't picture.

Akamai tracked approximately 26 billion credential stuffing attempts per month in 2024. Verizon's 2025 Data Breach Investigations Report (DBIR) found compromised credentials were the initial access vector in 22% of all breaches reviewed. At the median organization, credential stuffing accounts for 19% of all authentication attempts. These aren't targeted attacks. They're automated background noise hitting every login form on the internet, constantly.

The reason they work at that scale: a 2025 analysis of 19 billion exposed passwords found 94% were reused or duplicated. Password reuse is the amplifier that turns a credential dump into account takeovers.

---

#What the Defense Stack Looks Like Now

#1. Passkeys first, wherever available

A passkey replaces the password with a cryptographic key pair. The private key stays on your device. The public key is registered with the service. Authentication requires physical possession of your device and biometric confirmation. There is no password to steal, reuse, or stuff into another site.

Google, Apple, and Microsoft all support passkeys. Here's where to turn them on:

• Google: myaccount.google.com/security → Passkeys
• Apple: appleid.apple.com → Sign-In & Security → Passkeys
• Microsoft: account.microsoft.com/security → Advanced security options → Passkeys

The FIDO Alliance Passkey Index from October 2025 reported a 93% login success rate for passkeys versus 63% for traditional passwords, across real deployments at Google, Microsoft, PayPal, and others. Passkeys are also phishing-resistant by design: the key pair is bound to the exact domain, so a fake login page cannot trigger authentication.

Start with those three accounts. Your password manager can store passkeys for other sites as you encounter them.

#2. Unique passwords plus a password manager for everything else

For accounts that don't support passkeys yet, a password manager generating unique credentials per site is the floor. The reuse problem is structural. The fix is architectural, not behavioral. You cannot willpower your way to remembering 200 unique passwords.

Two options worth recommending:

Bitwarden is open source, the free tier is fully functional, and it's self-hostable. It's the consensus pick for privacy-conscious users.

1Password costs around $3/month and has a polished UX with solid family sharing.

Do not use LastPass. Attackers exfiltrated encrypted password vaults in December 2022. In 2025, the FBI linked that breach to $150 million in downstream crypto theft from victims whose master passwords were weak enough to crack. If you're still using it, move now.

A note on browser password managers: Chrome, Safari, and Firefox sync passwords through your Google, Apple, or Microsoft account. Fine for low-stakes accounts. The risk is concentration: if that account is compromised, every stored password goes with it. Use a dedicated manager for banking, email, healthcare, and anything tied to your identity.

#3. MFA: understand the hierarchy

As I covered in the MFA post, not all MFA is equal. The hierarchy:

• Passkeys: device-bound, phishing-resistant, session tokens never leave your device
• Hardware keys (YubiKey): require physical possession, phishing-resistant
• Authenticator apps (TOTP, time-based one-time passwords): solid baseline, but session cookie theft bypasses them
• SMS codes: better than nothing, vulnerable to SIM swapping

At minimum: authenticator app-based MFA on your email account, your bank, and any account tied to government identity. SMS is acceptable only when nothing stronger is offered.

The key caveat: TOTP does not protect against session cookie theft. The Uber breach is the proof. If you want full coverage, passkeys or hardware keys close that gap.

---

#Check If You're Already Exposed

Have I Been Pwned (HIBP) is the starting point. The 2.0 update added infostealer-specific data: 244 million infostealer-sourced passwords were added to the Pwned Passwords database. A new feature shows not just that your credentials were exposed, but which specific sites they were collected against in stealer logs.

Search your primary email addresses now. Set up breach monitoring so you're notified when your address appears in future breaches rather than finding out months later.

If you find hits in the stealer log category specifically, treat it as a confirmed device compromise: scan for malware, change credentials for all flagged accounts, and rotate any reused passwords. The breach response runbook covers the full sequence.

---

#Where to Start

Three steps that close the most material risk:

1. Enable passkeys on your Google, Apple, and Microsoft accounts today
2. Move banking and email into a password manager with new unique passwords
3. Search your email addresses on HIBP and enable breach monitoring

The threat model has shifted. It used to be: a company you use gets breached, your password ends up in a dump, an attacker eventually tries it elsewhere. Now it's: malware you may not know you have harvested your credentials hours ago. The defense stack is the same, but the urgency is different, and passkeys are the first move, not a footnote.