On this page
- How it works
- The attack pipeline
- Attack tooling
- Attack sophistication evolution
- Scale and credential supply
- Volume benchmarks (as-of 2025–2026)
- Credential supply
- Why ecommerce is the primary target
- Fashion retail and ecommerce specifics
- Why legacy defences fail
- Detection approaches
- Signals that work
- Intervention points
- Prevention stack
- Bot management vendor landscape (as-of 2026)
- Structural fix: Passkeys / passwordless
- Emerging threat: Infostealer / session hijacking
- GDPR and regulatory implications
- Operational impact
- Key terms
- Benchmarks (as-of 2025–2026)
- What practitioners report
Credential Stuffing
Credential Stuffing
Credential stuffing is an automated attack technique in which large sets of stolen username-password pairs (combolists) are systematically tested against login pages at scale, exploiting the high rate of password reuse across online services. It is the dominant delivery mechanism for Account Takeover Fraud in ecommerce. (nFlo, 2025-08-16)
How it works
The attack pipeline
Netacea (2025-08-07) describes a "credential washing" workflow:
- Breach harvest — attackers acquire combolists from darknet forums, Telegram channels, and infostealer-aggregated databases
- Bulk testing — automated tools test credentials across thousands of sites simultaneously
- Hit list production — valid credentials classified as "hits"; failed attempts refine the combolist
- Monetisation — hits either exploited directly (ATO) or sold to cashers
r/fraud practitioners confirm a three-role supply chain: "breach resellers" sell combo lists → "checkers" run OpenBullet to produce hit lists → "cashers" monetise accounts. "By the time you see fraud on an account, the original credential may have changed hands 2–3 times." (r/fraud, 44 upvotes, 2024-10)
Attack tooling
nFlo (2025-08-16) identifies the dominant tools: SentryMBA, OpenBullet, and custom scripts capable of testing thousands of credential combinations per minute.
r/netsec (76 upvotes, 2024-07) details OpenBullet 2 capabilities: multi-threading, config-based site targeting (Shopify, Magento, WooCommerce configs circulate on forums), residential proxy rotation, CAPTCHA bypass via 2captcha/anti-captcha, and automated result classification into "hits," "frees," and "tocheck."
Attack sophistication evolution
Netacea (2025-08-07): campaigns have shifted from high-volume, noisy bursts to slow, distributed, behaviourally-mimicking patterns — using residential proxy networks, session-aware scripting, and randomised delays to evade volume-based thresholds. Mid-market retailer campaigns in 2024–2025 are compressed into 4–12 hour windows at peak volumes 10–40× higher than historical 2022 campaigns. (Security Boulevard, 2026-05)
Scale and credential supply
Volume benchmarks (as-of 2025–2026)
- Over 193 billion credential stuffing attempts were recorded globally in 2025, with 40% targeting ecommerce platforms. (nFlo, 2025-08-16 — no primary source cited; treat as directional)
- Credential stuffing volume against consumer login endpoints grew 148% year-over-year through Q4 2025. (Security Boulevard, 2026-05)
- Ecommerce ATO attack rates ran approximately 3.4× the cross-industry average in Q4 2025. (Security Boulevard, 2026-05)
- HUMAN Security's 2026 benchmark (analysing over one quadrillion interactions) found automation growing 8× faster than human web traffic; AI-driven traffic grew 187% in 2025. (HUMAN Security, 2026)
Credential supply
MOAB size: Netacea (2025-08-07) cites the June 2025 "Mother of All Breaches" at 16 billion credentials. darknet.org.uk (2026-03) references 26 billion records from the same dataset. The discrepancy likely reflects different counting methodologies — unique credential pairs vs total records including duplicates. Both sources agree the event occurred in June 2025.
- SpyCloud's 2026 exposure report recaptured 5.3 billion credential pairs in 2025; consumer password reuse rate: 65%; corporate: 42%. (deepstrike.io citing SpyCloud, 2026 — secondary citation)
- In H1 2025 alone, 2.67 million devices were infected with infostealers, exposing over 204 million credentials. (darknet.org.uk, 2026-03)
- Stolen credential databases are purchased for $1–50 per million records; verified ecommerce accounts with saved payment cards sell for $5–100. (nFlo, 2025-08-16) (as-of 2025-08)
r/netsec (89 upvotes, 2025-01) puts 1B+ credential combolists at $50–200 on darknet forums, with residential proxy networks renting for $1–3/GB. "At a 0.1% hit rate on 100M credentials, an attacker gains 100,000 valid accounts — the asymmetry is brutal. Attacks are cheap; defenses are expensive."
A secondary market exists for verified hit lists: 10,000 accounts with active payment methods sell for $500–2,000, and multiple cashers buy the same list, meaning each compromised account may be attacked by different actors. (r/netsec, 29 upvotes, 2025-01)
Why ecommerce is the primary target
Netacea (2025-08-07) identifies ecommerce, travel, food delivery, and media as primary verticals. Attackers seek stored payment methods, addresses, loyalty points, subscription details, and discount codes.
r/fraud (52 upvotes, 2024-12) documents the monetisation hierarchy for fashion retail ATO: loyalty points → gift card conversion is the primary cashout path ("gift cards are hard to trace and can be resold on secondary markets easily"). r/fraud (187 upvotes, 2024-02) confirms: "instant, untraceable, doesn't require intercepting a package."
Dark market pricing (r/fraud, 52 upvotes, 2024-12): retail accounts with stored credit cards: $5–25; loyalty accounts with redeemable points: $2–15 depending on balance.
Fashion retail and ecommerce specifics
r/netsec (67 upvotes, 2025-05) documents an ATO fraud wave specifically hitting fashion retail. Pattern: credential stuffing against loyalty accounts → points/store credit theft → shipping address change → stored card fraud → downstream identity fraud via data exfil.
Dormant account targeting: dormant accounts (not logged in for 6+ months) showed 10× higher compromise rates in one dataset. "Attackers know that dormant account holders won't notice quickly." (r/netsec, 28 upvotes, 2025-05; echoed in r/ecommerce, 32 upvotes)
Speed of monetisation: "From first successful ATO login to loyalty points redemption, we're seeing under 3 minutes in many cases. Clearly automated. Human fraud review can't catch this — you need automated detection on the redemption event itself." (r/netsec, 31 upvotes, 2025-05)
Limited-edition drop targeting: attackers take over accounts specifically to buy limited-release items for resale. "This is different from pure financial fraud — it's more like bot-assisted reselling." (r/netsec, 19 upvotes, 2025-05)
Silent ATO: attacker logs in, screenshots name, DOB, address for identity fraud purposes, no transaction occurs, no fraud signal fires. "We only discovered this pattern through device fingerprint analysis showing bot-like behavior on profile pages." (r/fraud, 52-upvote post, confirmed by synthetic identity fraud specialist 31 upvotes, 2024-12)
BOPIS-specific ATO: r/fraud (29 upvotes, 2024-09) documents ATO on BOPIS orders: no shipping address change is required, items can be picked up same-day faster than fraud detection responds, high-value fashion/electronics targeted for resale. See also Click and Collect.
Fashion loyalty weakness: "Fashion retail loyalty programs often have weaker controls than financial services." (r/netsec, 67 upvotes, 2025-05)
Why legacy defences fail
Netacea (2025-08-07): traditional controls — CAPTCHA, rate limiting, device fingerprinting, JavaScript-based detection — are no longer sufficient because modern attackers use residential IPs, behaviour-mimicking scripts, and slow-distributed patterns.
- CAPTCHA bypass: CAPTCHA-solving services cost $1–3 per 1,000 solutions, making CAPTCHA an economically negligible barrier. (nFlo, 2025-08-16) r/cybersecurity (28 upvotes, 2025-05) confirms: "2captcha, DeathByCaptcha use human solvers for cents per solve, and AI-based visual solving has improved."
- IP blocking: Residential proxy networks (Bright Data, Oxylabs) route attacks through genuine consumer IPs. "IP reputation lists are basically useless against Bright Data/Oxylabs traffic." (r/netsec, 58 upvotes, 2025-01)
- Rate limiting: attackers evade by slowing down and distributing across proxies. Per-IP rate limiting is specifically defeated by proxy rotation.
r/cybersecurity (31 upvotes, 2025-05): per-account login velocity — failed attempts on the same account regardless of source IP — is "the one control that residential proxy rotation doesn't defeat because the credential is fixed." This is the most durable basic defence.
Detection approaches
Signals that work
r/fraud (31 upvotes, 2025-03) documents the most useful detection signals:
- New device/browser fingerprint not previously seen on account
- Login from different geo than usual
- First post-login action being to check balance or access gift cards
- Purchase shipping to a new address
Behavioural biometrics: mouse movement, scroll behaviour, keystroke timing. "Headless browsers can fake a lot, but consistent human-speed typing variation with correct error patterns is hard to replicate across thousands of parallel sessions." (r/netsec, 134 upvotes — originally in Account Takeover Fraud). A device fingerprinting vendor running JS in the browser moved the needle after rate limiting and IP blocking failed; cost ~$2K/month at mid-market traffic volume. (r/cybersecurity, 22 upvotes, 2025-05)
First detection signal in a real incident: a spike in failed logins (3× normal rate) followed by successful logins from new devices. Detection-to-containment: ~6 hours in one documented case. (r/netsec, 56 upvotes, 2025-05)
Intervention points
r/fraud (38 upvotes, 2025-03): "The real intervention point is at account changes (new shipping address, email change, stored card added), not at payment — by the time the order is placed and flagged, the fraudster is already gone." Step-up auth on address changes "cut ATO shipping fraud by 60%."
r/fraud (29 upvotes, 2025-03): email change is the highest-risk account modification — it gives the attacker control of the recovery path. Best practice: re-authentication for email changes + 24-hour cooling period before the change takes effect.
Deferred ATO monetisation: "some ATO is not monetized immediately — attackers will take over an account and do nothing for days or weeks, waiting to see if the account gets locked. If not, they proceed." Post-authentication behavioural monitoring matters beyond the login event. (r/fraud, 22 upvotes, 2024-12)
Prevention stack
nFlo (2025-08-16) recommends a multi-layered defence stack:
- Risk-based MFA: triggered only on suspicious logins (not all logins) to protect conversion
- Breach monitoring via HIBP API: proactive forced password resets for accounts in known breach lists; "shrinks the pool of vulnerable accounts" (r/cybersecurity, 17 upvotes; r/ecommerce, 29 upvotes)
- WAF with anti-bot module
- Advanced rate limiting: device fingerprint + ASN + behavioural patterns (not IP alone)
Low-cost playbook that reduced ATO incidents by ~80% (r/ecommerce UK retailer, 52 upvotes, 2025-05):
- Account-level failed login lockout/challenge (not IP-based)
- MFA prompt for high-risk actions (new payment method, new shipping address, points redemption)
- Email alerts for new device logins
Loyalty-specific controls:
- Step-up auth for points redemption above threshold + verification for points transfer → "reduced points fraud by ~70%." (r/fraud, 24 upvotes, 2024-12)
- Per-account redemption velocity limit (max X points redeemable per 24 hours) as "blast radius control." (r/ecommerce, 28 upvotes, 2025-04)
- Forced password resets on dormant accounts (12+ months inactive) — fastest immediate triage. (r/ecommerce, 54 upvotes, 2025-04)
Bot management vendor landscape (as-of 2026)
r/cybersecurity (27-upvote evaluation post, 2026-06) vendor ranking:
| Vendor | Positioning | Practitioner notes |
|---|---|---|
| F5 (Shape Security) | Enterprise; best for sophisticated attacks | Highest capability ceiling |
| Akamai | Enterprise; differentiated good-bot vs bad-bot policies | SOTI reports as primary benchmark |
| HUMAN Security | Enterprise; Forrester Leader Q2 2026, 5/5 in 9 criteria | Cross-client signal from 1 quadrillion+ interactions (as-of 2026) |
| Netacea | Enterprise; server-side intent analysis | Agentless; 3,000+ attacker community monitoring |
| Cloudflare Bot Management | Mid-market best value | "Attackers have evasion configs specific to Cloudflare because so many sites use it" (r/ecommerce, 38 upvotes) |
| Arkose Labs | Interactive 3D challenges | ~8% legitimate user drop in completion rate — "good if fraud loss exceeds conversion loss" |
| DataDome / PerimeterX | Mid-market | Solid options; no deep practitioner comparisons found |
Cloudflare effectiveness debate: r/cybersecurity (21 upvotes, 2026-06) ranks Cloudflare as "best value for mid-market." r/ecommerce (38 upvotes) warns attackers have specific Cloudflare evasion configs precisely because so many sites use it. Cross-client signal advantage of enterprise platforms (HUMAN/F5/Akamai) may be the genuine differentiator.
r/netsec (25 upvotes, 2025-01): "Enterprise platforms have cross-client signal that an individual company can't build — patterns visible across billions of logins identify bot fingerprints invisible at any one site."
Sub-$500/month gap: no community consensus on a truly effective solution below ~$500/month. Cloudflare Bot Fight Mode free tier is mentioned but effectiveness disputed. Enterprise platforms out of reach for most SMBs. (r/ecommerce, 49 upvotes, 2025-01)
Structural fix: Passkeys / passwordless
MojoAuth (2026-03-04): retail platforms are moving toward passwordless authentication architectures (passkeys/Passkeys (WebAuthn), magic links, OTPs) as structural defences — removing stored passwords eliminates the attack surface credential stuffing depends on.
r/shopify (33 upvotes, 2024-12): enabling passwordless/magic-link login was "the single biggest win — can't stuff credentials if there are no passwords."
Passkeys adoption timeline: r/netsec identity engineer (44 upvotes, 2024-08) puts meaningful ecommerce passkey adoption at "3–5 years out minimum" due to platform stack compatibility — most ecommerce platforms have passkey support in beta or not at all. r/netsec advocate (31 upvotes, same thread) argues hybrid strategy adds value now even at 30% adoption.
Critical passkey limitation: passkeys do not protect against Infostealer Malware stealing active session cookies — "even if you have passkeys for login, if the attacker has your session cookie, they bypass authentication entirely." (r/netsec, 33 upvotes, 2024-08)
MFA sufficiency: r/cybersecurity (34 upvotes, 2025-05) treats MFA as "the single most effective immediate control" for credential stuffing. r/cybersecurity FIDO analyst (18 upvotes, 2026-06) argues TOTP-based MFA is already being bypassed via AiTM (adversary-in-the-middle) phishing kits in real time — "only FIDO2/WebAuthn is truly phishing and stuffing resistant."
Emerging threat: Infostealer / session hijacking
r/netsec (78 upvotes, 2025-04) flags a growing adjacent attack vector: infostealer malware (Redline, Vidar, Raccoon, LummaC2) harvesting active browser session tokens rather than passwords. Session tokens bypass MFA because the session is already authenticated. Retail sites with 30–90 day session lifetimes give attackers a wide window post-compromise. See Infostealer Malware and Session Hijacking.
HUMAN Security (2026): agentic AI traffic grew 7,851% year-over-year in 2025, narrowing the line between legitimate automation and fraud — creating new classification challenges as AI agents transacting on the open web are structurally similar to credential stuffing bots.
GDPR and regulatory implications
r/netsec UK retailer (44 upvotes, 2024-10): a DPO confirmed that credential stuffing ATO counts as a GDPR personal data breach — "unauthorised access to personal data (name, address, order history, payment method indicators) constitutes a breach even if the credentials came from elsewhere" — with 72-hour DPA notification required and customer notification required if payment data was accessed. (as-of 2024-10)
MojoAuth (2026-03-04): GDPR (up to 4% of annual turnover fines) and rising chargeback regulation are increasing compliance pressure on retail platforms to invest in authentication security.
Operational impact
r/cybersecurity CX lead (19 upvotes, 2025-05): "The reputational damage from a slow response is often worse than the fraud itself. We had an ATO incident and our NPS dropped significantly because customers felt we were slow to communicate."
r/ecommerce CS lead (27 upvotes, 2025-05): "Your CS team gets buried in account recovery requests. Build account recovery flows before you get hit, not after."
Netacea (2025-08-07) documents losing >10% of revenue to credential-stuffing-related fraud at one client; blocking 650,000 credential stuffing attempts per week reduced £1.4M in monthly loyalty fraud. (vendor case study)
nFlo (2025-08-16): up to 90% of login attempts on targeted ecommerce platforms may be bot traffic, creating infrastructure overload costs independent of fraud losses.
Key terms
| Term | Meaning |
|---|---|
| Combolist | Database of stolen username-password pairs used as attack ammunition |
| Credential washing | Netacea's term for the full cycle: breach → test → hit list → monetise → refine |
| Hit list | Output of a credential stuffing run: accounts where credentials validated |
| Checker | Actor in the supply chain who runs stuffing tools to convert combolists into hit lists |
| Casher | Actor who monetises validated accounts (gift card drain, loyalty fraud, resale) |
| Residential proxy | IP address from a real consumer device, rented to route attack traffic through genuine IPs |
| AiTM | Adversary-in-the-Middle attack: real-time phishing that intercepts MFA codes |
| HIBP | Have I Been Pwned — free breach monitoring API for checking credential exposure |
Benchmarks (as-of 2025–2026)
| Metric | Figure | Source |
|---|---|---|
| Global stuffing attempts 2025 | 193B+ | nFlo 2025-08-16 (no primary cited; directional) |
| Ecommerce share of stuffing attacks | ~40% | nFlo 2025-08-16 |
| YoY volume growth (consumer login endpoints) | 148% | Security Boulevard 2026-05 |
| Consumer password reuse rate | 65% | SpyCloud 2026 via deepstrike.io |
| MOAB credentials (Jun 2025) | 16B pairs | Netacea 2025-08-07 |
| Ecommerce ATO rate vs cross-industry avg | 3.4× higher | Security Boulevard 2026-05 |
| Automation growth vs human web traffic | 8× faster | HUMAN Security 2026 |
| Time from ATO login to loyalty drain | <3 minutes | r/netsec 31 upvotes 2025-05 |
| Dormant account compromise rate | 10× higher | r/netsec 28 upvotes 2025-05 |
| 2FA adoption on ecommerce platforms | 13% | Sift Q2 2025 (via Account Takeover Fraud) |
What practitioners report
- Per-account login velocity tracking (not IP-based rate limiting) is the most durable basic control
- Behavioural biometrics provides the highest-signal passive defence for bot vs human distinction
- Email address change is the highest-risk account modification; requires step-up auth + cooling period
- Loyalty programmes are systematically targeted; points redemption velocity limits reduce blast radius
- Dormant account (12+ months) proactive password resets are fastest immediate triage
- Build account recovery flows before an incident — CS burden during an ATO wave is severe
- Enterprise bot management platforms provide cross-client signal unavailable to individual retailers
- Passkeys eliminate the credential stuffing attack surface but are 3–5 years from meaningful ecommerce adoption
- Infostealer session hijacking is an adjacent and growing vector passkeys alone don't address