Credential Stuffing Explained

If you reuse passwords, one breach can unlock dozens of your accounts. That attack is called credential stuffing.

The mechanics

After a breach, attackers get millions of email/password pairs. Bots try those exact pairs on banks, shops, and email providers, betting that people reuse passwords. They're usually right.

How to be immune

• Unique passwords per site (a manager makes this painless).
• 2FA or passkeys so a password alone is useless.
• Disposable addresses for low-trust sites, so a leak there isn't tied to your main accounts — start here.

The mindset

Assume every password will eventually leak. Design so that when it does, the damage is contained to one account.