Credential Stuffing

• Login failures distributed across many accounts (low per-account failure count, high total volume)
• Spike in 200 OK responses from the login endpoint mixed with many 401 Unauthorized
• Login attempts originating from residential ISP IP ranges rather than datacenter blocks
• Browser fingerprint anomalies: identical User-Agent headers from thousands of IPs
• Successful logins from geolocations inconsistent with the account's normal usage pattern

Analyse login success/failure ratio

# Count HTTP 200 vs 401 on login endpoint (Nginx)
awk '$7 == "/api/login"' /var/log/nginx/access.log | \
  awk '{print $9}' | sort | uniq -c

Detect low-and-slow patterns (Python pseudo-logic)

# Alert if >1000 unique accounts attempted with <3 failures each in 1 hour
from collections import Counter

failed_accounts = Counter()  # account → failure count
for event in auth_events_last_hour:
    if event.status == "fail":
        failed_accounts[event.username] += 1

# Classic brute force: few accounts, many failures
# Credential stuffing: many accounts, few failures each
if len(failed_accounts) > 1000 and max(failed_accounts.values()) < 5:
    alert("Credential stuffing pattern detected")

Check IPs against breach/proxy intelligence

# Query AbuseIPDB
curl -s "https://api.abuseipdb.com/api/v2/check?ipAddress=203.0.113.1" \
  -H "Key: $ABUSEIPDB_KEY" | jq '.data.abuseConfidenceScore'

Suricata HTTP rule

alert http any any -> $HTTP_SERVERS 443 \
  (msg:"CRED_STUFF high login failure volume"; \
   content:"POST"; http_method; content:"/login"; http_uri; \
   threshold:type threshold, track by_src, count 50, seconds 60; \
   sid:3000002;)

1. Integrate breach password databases — Use HaveIBeenPwned's Pwned Passwords API to reject passwords that appear in known breach dumps at registration and login.
2. Deploy device fingerprinting — Tools like FingerprintJS or server-side TLS fingerprinting (JA3) detect bots that rotate IPs but maintain consistent browser signatures.
3. Implement risk-based authentication — Trigger step-up MFA when login originates from a new device, unusual geolocation, or flagged IP range.
4. Use CAPTCHA with anomaly scoring — Google reCAPTCHA v3 provides an invisible risk score; challenge scores below 0.5 automatically.
5. Rate-limit globally, not just per-account — Enforce a global cap of login requests per minute across the entire endpoint, regardless of which account is targeted.
6. Block datacenter and residential proxy ASNs — Maintain a blocklist of known proxy/VPN ASNs; many credential stuffing services use AWS, DigitalOcean, and residential proxies.
7. Notify users of new-device logins — Email alerts for new login locations give legitimate users early warning of account compromise.
8. Force password resets on breach correlation — Automatically expire passwords for accounts whose credentials appear in newly published breach datasets.

2020 — Nintendo credential stuffing (160,000 accounts): In April 2020, Nintendo disclosed that approximately 160,000 accounts were compromised via a legacy NNID login system through credential stuffing. Attackers accessed linked PayPal accounts and made fraudulent purchases. Nintendo disabled NNID-based login as a result.

2018 — Reddit breach and credential stuffing cascade: Following Reddit's own breach disclosure in August 2018, attackers used the leaked Reddit credentials in stuffing campaigns across other sites. The incident highlighted how a single breach propagates across services due to password reuse, with thousands of accounts compromised on unrelated platforms within days.