Credential stuffing sounds simple: attackers test stolen usernames and passwords across sites to see what works. After the hype and complexity of vulnerabilities like Heartbleed and Spectre, password reuse seems easy to dismiss. This has caused credential stuffing to become the most underrated attack of the 2010s and it hints at the future of application level attacks.
This class of attacks remained largely unchanged for years. There was no reason to change, they weren’t blocked. As adversity increased, attackers started to iterate faster, now bypassing defenses in a matter of months or even weeks. Dozens of companies, large and small, have tried to block credential stuffing attacks. Not a single, widely deployable defense – nothing – has seen lasting success without needing to evolve at the same speed.