Credential stuffing attacks are on the rise
In John Carpenter’s 1982 film The Thing, a shape-shifting alien infiltrates a remote Antarctic research station by posing as something familiar and trustworthy, something the organization willingly let in. The parallel between this and modern cyberattacks is not subtle.
Attackers no longer need to break through perimeter defenses. They simply log in and start “credential stuffing”—a method of attack that uses lists of compromised user credentials to breach a system. A credential stuffing attack uses bots for automation and scale, assuming that many users recycle their usernames and passwords across multiple services and platforms.1
Constella Intelligence’s 2025 Identity Breach Report, analyzing more than 219,000 breach events and 107 billion exposed records, concluded that credential theft now powers most major breaches.2 IBM’s 2025 Cost of a Data Breach Report corroborates this. More than 80 percent of breaches involve credential compromise, yet most organizations detect this only after significant damage is done.3
The root cause is not a single vulnerability, but instead a systemic failure in how identities are created, managed, and retired. Three converging trends have exacerbated this:
- Ungoverned identity sprawls across cloud and software as a service (SaaS) environments. Recent research found that ungoverned permissions rose from 5 percent to 28 percent of enterprise permissions in a single year.4
- An explosion of non-human identities (service accounts, application programming interface [API] keys, and automation credentials) that now outnumber human accounts by more than 80 to 1, most carrying privileged access with no multi-factor authentication (MFA) and static long-lived credentials.5
- Persistent authentication coverage gaps, with 13 percent of enterprise users still lacking MFA entirely in 2025, and many relying on short message service (SMS)-based methods that modern attack toolkits defeat trivially.
How identity weaknesses translate to credential theft
The pattern of how attackers exploit identity weaknesses is consistent and recognizable. In virtually every major credential compromise breach, the attacker succeeded because a fundamental identity control was absent, misconfigured, or unevenly applied.
Three examples drawn from recent incidents illustrate how a credential stuffing attack plays out in practice.
| Attack Method | Identity Weakness Exploited | Real-World Example |
|---|---|---|
| Password spraying: Automated tools test a small number of common passwords across thousands of accounts, staying below lockout thresholds | Absent or legacy multi-factor authentication; reused or weak passwords | City of Atlanta SamSam ransomware outbreak;6 IRGC-linked campaigns targeting water utilities and state, local, tribal, and territorial government |
| MFA fatigue and method hijacking: Attackers flood users with push-notification approvals until one is accepted, then register their own device as a trusted authentication method | Push-based MFA without number-matching; no controls on who can register new authentication devices | Uber breach (2022);7 Scattered Spider campaigns against commercial and government targets |
| Stolen session tokens and cloud account takeover: Attackers intercept authentication tokens to bypass MFA entirely, then move laterally through cloud services using valid credentials | Inconsistent conditional access policies; unmonitored service accounts; legacy authentication endpoints left active | SolarWinds/APT29 campaign affecting dozens of federal and SLTT government organizations8 |
The commonality across all three scenarios is the same; a gap in identity governance created an opening that a patient, systematic attacker was able to find and exploit. The MITRE ATT&CK9 framework catalogs dozens of additional techniques in this space, and the threat landscape continues to evolve as artificial intelligence (AI) lowers the cost and skill threshold for executing these attacks.
Mapping your organization’s specific environment against the full range of relevant techniques (and understanding which ones your current controls do and do not address) should be a standing component of your vulnerability and threat analysis program.
How AI has accelerated credential stuffing attacks
AI has fundamentally changed the economics of the credential stuffing attack in three ways that matter to leadership. AI has:
- Dramatically lowered the skill threshold; attacks that previously required experienced threat actors now require commodity toolkits available to anyone.
- Collapsed the time required; campaigns that once took days of preparation now execute in minutes.
- Made attacks harder to recognize; AI-generated phishing emails, voice clones, and video impersonations are increasingly indistinguishable from legitimate communications.
User awareness training and signature-based email security tools were designed for a different threat environment, and are still necessary but insufficient by themselves. The organizations closing this gap are those that have paired strong identity controls (phishing-resistant authentication, strict conditional access, governed non-human identities) with credential theft detection capabilities that look for behavioral anomalies rather than known attack signatures.
What industry frameworks tell us to do about credential compromise
Addressing the risks of credential compromise requires more than patching individual vulnerabilities. It demands a structured, governance-driven approach that spans multiple factors. Most importantly, this approach requires a shift in how identities are created, managed, monitored, and retired across the entire organization.
Three of the most widely adopted cybersecurity frameworks—NIST CSF 2.0, NIST SP 800-53 Rev 5, and CIS Controls v8—converge on the same fundamental requirements for identity security. These 3 frameworks provide organizations with a clear and authoritative foundation for building or maturing their programs.
- NIST CSF 2.0: Elevates identity management and access control as a foundational protective function, requiring organizations to govern the full lifecycle of both human and non-human identities (from credential issuance through decommissioning) and to enforce phishing-resistant authentication as a baseline, not an advanced option.
- NIST SP 800-53 Rev 5: Provides the technical control baseline used across federal and state and local government environments. Its identity and access control families require MFA for all account types, strict management of authenticator credentials (including elimination of default passwords in operational technology environments), and enforced limits on failed login attempts to counter automated spray attacks.
- CIS Controls v8: Offers the most actionable entry point for organizations at any maturity level. Controls 5 and 6 address the complete identity risk lifecycle, which includes unique credentials, elimination of defaults, restriction of administrative privileges, universal MFA, and centralized access governance. Critically, the most foundational safeguards are classified as basic maturity requirements, meaning there is no defensible reason for any organization to remain exposed to the attack patterns described in this article.
These frameworks are complementary lenses on the same problem, and alignment with all three is both achievable and expected by regulators, auditors, and insurers in most sectors. Organizations that have not yet conducted a structured assessment against these frameworks are carrying risk of credential compromise they have not measured and cannot effectively manage.
Actions for security and GRC leaders to prevent credential theft
- Conduct a structured cybersecurity risk assessment. Use a combination of technical assessments, vulnerability scanning, penetration testing, and framework-based risk assessments. This will provide the clearest picture of where identity gaps exist and how mature your credential theft prevention controls are.
- Deploy phishing-resistant MFA universally. Fast Identity Online 2 (FIDO2) passkeys and personal identity verification (PIV)-backed public key infrastructure (PKI) are the only authentication methods that defeat both MFA fatigue and adversary-in-the-middle proxy attacks. Extend these protections to all privileged access paths, including service accounts and non-human identities.
- Enumerate and govern non-human identities. Conduct a full inventory of service accounts, API keys, Open Authorization (OAuth) tokens, and automation credentials. Apply the same lifecycle governance used for human identities; least privilege, rotation, logging, and decommissioning. Any unmanaged machine identity is a potential active threat for credential theft or a credential stuffing attack.
- Eliminate legacy authentication pathways. Basic authentication, New Technology LAN Manager (NTLM), and older federation paths bypass modern conditional access controls entirely. Auditing and disabling these endpoints is one of the highest-return, lowest-cost improvements available.
- Validate operational technology and vendor remote access. Confirm that no operational technology management interface is reachable from the internet, enforce jump-host, and allowlist models for all vendor remote access. Default credentials in operational environments remain a primary vector for critical infrastructure attacks.
- Invest in continuous security awareness. Training and testing that goes beyond annual policy reviews and periodic phishing simulations (reinforced through routine team interactions and modeled by executive leadership) is a force multiplier for every technical control in this list.
Identity is the new perimeter
The convergence of identity sprawl, inconsistent authentication controls, and AI-powered attack automation has made credential compromise the defining security challenge of the current threat environment. The most consequential credential stuffing attacks of the past two years share a common root cause: an attacker obtained valid credentials and used them to move undetected through systems designed to stop outsiders, not insiders.
The frameworks are clear, the attack patterns are documented, and the controls are well understood. The question for leadership is not whether to invest in identity security (the cost of inaction is measured in breach costs, operational downtime, and reputational harm) but how quickly to close the gaps that attackers are already exploiting.
CAI’s cybersecurity practice works with state and local governments, utilities, and commercial organizations to assess identity maturity, implement phishing-resistant authentication programs, prevent credential theft, conduct identity-focused GRC assessments, and develop the detection and response capabilities needed to identify and contain identity-based attacks.
To learn more about how CAI works with state and local governments to improve cybersecurity posture, fill out the form below.
Endnotes
- “Credential Stuffing.” Imperva. https://www.imperva.com/learn/application-security/credential-stuffing/. ↩
- “2025 Identity Breach Report: Mapping the Evolving Identity Attack Surface.” Constella. https://constella.ai/reports/2025-identity-breach-report/. ↩
- “Cost of a Data Breach Report 2025.” IBM. https://www.ibm.com/reports/data-breach. ↩
- “2026 State of Identity & Access Report.” Veza (from ServiceNow). https://veza.com/resources/stateofaccess/. ↩
- “2025 Identity Security Landscape: Perspectives on risk and readiness from security leaders.” Cyberark. https://www.cyberark.com/resources/ebooks/2025-identity-security-landscape. ↩
- Kelli Young. “Cyber Case Study: City of Atlanta Ransomware Incident.” September 20, 2021. https://coverlink.com/case-study/city-of-atlanta-ransomware/. ↩
- Edward Kost. “What Caused the Uber Data Breach in 2022?” UpGuard. December 1, 2025. https://www.upguard.com/blog/what-caused-the-uber-data-breach. ↩
- Robert K. Knake. “Why the SolarWinds Hack Is a Wake-Up Call.” Council on Foreign Relations. March 9, 2021. https://www.cfr.org/articles/why-solarwinds-hack-wake-call. ↩
- MITRE ATT&CK. https://attack.mitre.org/. ↩
