Every time there’s a major data breach, security people say the same thing: “Change your passwords. Use unique passwords. Enable MFA.” The mechanism by which leaked passwords turn into account takeovers is worth understanding in detail, because the economics of it are what make it so relentless.
What Credential Stuffing Actually Is
Credential stuffing is simple: take a list of username/password pairs leaked from one service, and try them against a different service. If someone used the same password on LinkedIn as they do on their bank, and LinkedIn gets breached, the attacker can log into their bank.
Have I Been Pwned has indexed over 14 billion compromised credentials as of mid-2026. Dark web markets have combolists containing 5-10 billion unique email/password combinations sold for hundreds of dollars. For a credential stuffing operation targeting a service with 10 million users, even a 0.5% success rate means 50,000 compromised accounts.
The Tooling Is Industrial-Grade
Purpose-built tools handle distributed request routing across thousands of residential proxies (making IP blocking nearly useless), browser fingerprint rotation to evade bot detection, CAPTCHA solving via third-party services, and automatic session persistence for valid logins.
When I say “residential proxies” I mean compromised home routers and ISP connections — real IP addresses that look like normal traffic. A stuffing campaign running through 50,000 residential proxies is essentially indistinguishable from 50,000 real users trying to log in.
What Happens to Compromised Accounts
- Financial accounts: drained within hours — transfers to mule accounts, gift card purchases, crypto buys.
- Corporate accounts: sold as initial access on darknet forums. A valid employee VPN login goes for $200-$2,000 depending on the company.
- Email accounts: mined for password reset emails to other services.
How to Actually Stop It
1. MFA everywhere. Credential stuffing fails completely against TOTP or FIDO2 MFA. This is the single most effective control.
2. Monitor for credential exposure. Dark web monitoring alerts you when your domain’s credentials appear in combolists.
3. Deploy login anomaly detection. High-velocity failed logins from diverse IPs, unusual geographic origins — these patterns are detectable.
4. Check your users against Have I Been Pwned. The API lets you check whether any users’ credentials have been compromised. Force password resets for flagged accounts.
What I See on Dark Web Forums
The combolist market has become more specialized over the last 18 months. Rather than selling generic billion-row dumps, traders now sell targeted lists — “Canadian bank logins only,” “healthcare portal accounts.” We’ve seen Canadian financial institution credentials sold in batches of 500-1,000 at $5-$15 per account. It’s a functioning marketplace with reviews, dispute resolution, and customer service. Understanding that ecosystem is half of what makes threat intelligence valuable.
